Advanced

# IT Governance RACI — Meridian Financial Group
# R = Responsible, A = Accountable, C = Consulted, I = Informed
# => RACI separates execution (R) from authority (A); both must be assigned for every decision
 
governance_decisions:
  major_it_investment: # => Decisions >$5M or strategic platform replacement
    IT: C # => CIO provides technical feasibility and cost estimate
    Business: A # => Business unit sponsor owns the business case and benefits
    Legal: C # => Legal consulted for contract, IP, and data obligations
    HR: I # => HR informed of workforce impact (retraining, redundancy)
    Board: A # => Board approves; dual-A reflects governance + business accountability
 
  architecture_standards: # => Enterprise architecture principles, platform choices
    IT: A # => CTO/Enterprise Architect accountable; business executes to these standards
    Business: C # => Business consulted to ensure standards enable capability delivery
    Legal: I # => Legal informed; flagged only if data residency implicated
    HR: I
    Board: I
 
  risk_appetite: # => Tolerance levels for IT risk categories (cyber, availability, data)
    IT: C # => IT provides risk quantification and control effectiveness data
    Business: C # => Business articulates acceptable service disruption tolerance
    Legal: C # => Legal frames regulatory minimum floors
    HR: I
    Board: A # => Board owns risk appetite; cannot be delegated below Board level
 
  policy_approval: # => IT security policy, acceptable use, data classification policy
    IT: R # => IT drafts and maintains policy content
    Business: C # => Business consulted on operational feasibility
    Legal: C # => Legal ensures regulatory alignment
    HR: C # => HR consulted on employment law implications for acceptable use
    Board: A # => Board approves; sub-$threshold policies may delegate to ExCo
 
  vendor_onboarding: # => Third-party risk assessment and contract approval
    IT: R # => IT conducts technical due diligence and security assessment
    Business: A # => Business unit accountable for vendor relationship and performance
    Legal: C # => Legal reviews MSA, DPA, SLA obligations
    HR: I
    Board: I # => Board informed for strategic or >$10M vendors only
 
  change_freeze: # => Major release freezes (financial close, peak trading, regulatory deadlines)
    IT: A # => IT accountable for freeze enforcement and emergency CAB
    Business: C # => Business provides calendar of critical periods
    Legal: I
    HR: I
    Board: I
 
  data_classification: # => Classifying data assets (public/internal/confidential/restricted)
    IT: R # => IT operationalizes classification tooling and labels
    Business: A # => Data owners (business) accountable for classifying their data
    Legal: C # => Legal defines regulatory classification obligations (PII, PHI, PCI)
    HR: C # => HR consulted for employee data classification
    Board: I
 
  incident_escalation: # => P1/P2 escalation paths and communication obligations
    IT: R # => IT manages incident response; escalates per threshold
    Business: C # => Business provides impact context and customer communication
    Legal: C # => Legal consulted for breach notification obligations
    HR: I
    Board: I # => Board notified for systemic, regulatory, or reputational incidents
 
 
# => Review cadence: RACI reviewed annually and after any significant org restructure
# => Conflicts: any RACI gap (no A assigned) is a governance defect — escalation to Group CIO

| Phase | Title                              | Key Activities                                                                                                        | Deliverables                                                          | Governance Checkpoint                              | Duration     |
| ----- | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | -------------------------------------------------- | ------------ |
| 1     | What are the drivers?              | Identify pain points, regulatory pressure, strategic goals; stakeholder interviews; current-state pain point register | Pain point register; stakeholder map; business case draft             | ExCo sponsor sign-off on business case             | 4–6 weeks    |
| 2     | Where are we now?                  | Capability maturity assessment across selected COBIT focus areas; benchmark vs industry peers; gap analysis           | As-is maturity scores; gap analysis report; peer benchmark            | IT Steering Committee reviews gap analysis         | 6–8 weeks    |
| 3     | Where do we want to be?            | Target maturity definition per domain; prioritize focus areas using COBIT performance management; align to strategy   | Target maturity profile; prioritized improvement backlog              | Board/ExCo approves target maturity and scope      | 3–4 weeks    |
| 4     | What needs to be done?             | Detailed improvement initiatives per gap; assign ownership; define KPIs and metrics; resource plan                    | Improvement initiative register; KPI framework; resource plan         | IT Steering Committee approves initiative register | 4–6 weeks    |
| 5     | How do we get there?               | Execute initiatives per roadmap; process design workshops; tool deployment; training; policy drafting                 | Implemented processes; updated policies; training completion records  | Monthly PMO review; quarterly ExCo progress report | 12–18 months |
| 6     | Did we get there?                  | Post-implementation maturity reassessment; measure KPIs; close gap analysis vs Phase 2 baseline                       | Reassessment report; KPI dashboard; closed vs open gaps               | Board receives maturity progress report            | 4–6 weeks    |
| 7     | How do we keep the momentum going? | Embed continuous improvement; update RACI; link to annual planning; institutionalize COBIT review cadence             | Ongoing governance calendar; updated operating model; lessons learned | Annual Board IT Governance review                  | Ongoing      |
 
# => Phase 1 is diagnostic — skipping it causes misaligned scope and wasted Phase 4–5 effort
 
# => Phase 3 requires Board/ExCo involvement — target maturity set too low by IT alone loses credibility
 
# => Phase 5 is the longest and most resource-intensive; budget for change management, not just tooling
 
# => Phase 6 must use same assessment instrument as Phase 2 to produce comparable scores
 
# => Phase 7 is frequently skipped — COBIT programs that omit it regress within 18 months

# COBIT 2019 — AI Governance Focus Area Mapping
# Solaris Bank | Chief Digital Officer Office
 
cobit_ai_governance_mapping:
  EDM03_risk_optimisation:
    cobit_objective: "Ensure that risk appetite and tolerance are defined, risk to enterprise value is identified and managed, and risk of IT failure does not exceed appetite"
    # => EDM03 is the governance-layer objective — Board and ExCo own it, not IT operational teams
 
    ai_extensions:
      - id: EDM03-AI-01
        description: "Define AI risk appetite: acceptable use cases, prohibited use cases, tolerance for model error rates"
        # => AI risk appetite must specify maximum acceptable false-positive and false-negative rates by use case
        rationale: "Without explicit AI risk appetite, teams make inconsistent model deployment decisions"
 
      - id: EDM03-AI-02
        description: "Establish AI ethics principles aligned to EU AI Act risk classification (unacceptable/high/limited/minimal)"
        # => EU AI Act Article 5 prohibits certain AI uses; ethics principles must reflect legal prohibitions
        rationale: "Principles without legal grounding create compliance gaps when regulators audit"
 
      - id: EDM03-AI-03
        description: "Board-level review of AI risk register at minimum annually; quarterly for high-risk AI systems"
        # => High-risk AI under EU AI Act requires ongoing human oversight — Board review cadence must reflect this
        rationale: "AI risk is dynamic; static annual reviews miss model drift and emergent bias"
 
  APO12_managed_risk:
    cobit_objective: "Identify, assess, and reduce IT risk within tolerance levels on a continual basis"
    # => APO12 is the management-layer objective — CRO and CIO jointly own; feeds EDM03 risk reporting
 
    ai_extensions:
      - id: APO12-AI-01
        description: "Maintain AI model inventory: model ID, owner, use case, risk tier, training data provenance, last validation date"
        # => Model inventory is the foundation of AI risk management — cannot manage what is not catalogued
        example_fields: [model_id, owner, risk_tier, training_data_source, last_validation, drift_threshold]
 
      - id: APO12-AI-02
        description: "Conduct AI-specific risk assessment: data bias risk, model explainability gap, adversarial attack surface, third-party model dependency"
        # => Standard IT risk taxonomy (confidentiality/integrity/availability) is insufficient for AI risk
        # => Add: fairness risk, opacity risk, concept drift risk, supply chain model risk
 
      - id: APO12-AI-03
        description: "Monitor model performance in production; trigger re-validation when drift metrics exceed defined thresholds"
        # => Model drift is an IT risk; APO12 monitoring controls must extend to ML observability tooling
 
  BAI02_managed_requirements:
    cobit_objective: "Identify solutions and analyse requirements before acquisition or creation to ensure they align with strategic enterprise requirements"
    # => BAI02 governs the build/buy decision — AI use cases must pass requirements governance before development
 
    ai_extensions:
      - id: BAI02-AI-01
        description: "AI use case intake form: business objective, data requirements, explainability requirement, regulatory classification, success metrics"
        # => Intake form forces upfront classification of EU AI Act risk tier before any development begins
        # => Prevents high-risk AI systems being built without conformity assessment planning
 
      - id: BAI02-AI-02
        description: "Require AI Impact Assessment for high-risk AI use cases before project approval"
        # => Analogous to Privacy Impact Assessment — assesses fairness, discrimination, human oversight adequacy
        # => EU AI Act Article 9 requires risk management system for high-risk AI
 
      - id: BAI02-AI-03
        description: "Define model acceptance criteria: accuracy threshold, fairness metrics, explainability level, human-override capability"
        # => Acceptance criteria must be defined before development — not reverse-engineered to fit delivered model
 
# => ISO/IEC 42001:2023 and NIST AI RMF 1.0 can be used alongside this COBIT mapping
# => COBIT provides governance structure; 42001 provides management system requirements; NIST RMF provides operational functions

| Principle       | 38500:2015 Scope                                         | 38500:2024 Additions                                                                                                           | Governance Implication                                                                            |
| --------------- | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------- |
| Responsibility  | Directors assign responsibility for IT supply and demand | Add: explicit accountability for AI systems including autonomous decision-making systems; roles for AI oversight               | Board must designate accountable owner for each AI system; cannot be delegated to algorithm       |
| Strategy        | IT strategy aligned to business strategy                 | Add: sustainability strategy integration — climate impact of IT infrastructure, digital footprint targets                      | IT strategy must include energy consumption targets and cloud carbon reporting                    |
| Acquisition     | IT acquisitions made for valid reasons                   | Add: AI system acquisition requires assessment of training data provenance, bias testing, and EU AI Act risk tier              | Pre-acquisition AI risk assessment mandatory before procurement approval                          |
| Performance     | IT performs to satisfaction of stakeholders              | Add: AI system performance monitoring includes fairness metrics, model drift, and human override efficacy                      | KPI dashboards must include AI-specific performance indicators beyond availability/latency        |
| Conformance     | IT complies with applicable legislation                  | Add: AI-specific regulatory conformance (EU AI Act, ISO 42001, national AI regulations); sustainability reporting (CSRD, TCFD) | Compliance calendar must include AI regulation milestones and sustainability disclosure deadlines |
| Human Behaviour | IT policies respect human behaviour                      | Add: AI systems must respect human dignity, prevent discrimination, maintain meaningful human oversight                        | Acceptable use policy for AI must address human dignity and override rights explicitly            |
 
# => 38500:2024 does not replace 2015 — it extends it; existing 2015 compliance work remains valid
 
# => Sustainability additions align with EU Corporate Sustainability Reporting Directive (CSRD) requirements
 
# => AI additions are consistent with ISO/IEC 42001:2023 and EU AI Act obligations
 
# => "Human Behaviour" principle extension is the most significant conceptual shift: AI accountability is a board-level human responsibility, not a technical one
 
# => Gap assessment required: organisations compliant with 2015 must re-assess against 2024 additions specifically

# ITIL 4 to ITIL V5 Transition Roadmap
# Vantage Global Services | ITSM Transformation Office
 
itil_v5_transition:
  structural_changes:
    itil_4_construct: "Service Value Chain (SVC) — 6 activities: Plan, Engage, Design & Transition, Obtain/Build, Deliver & Support, Improve"
    # => ITIL 4 SVC is a flexible operating model; activities are not sequential stages
 
    itil_v5_construct: "8-stage Product and Service Lifecycle"
    v5_stages:
      - "1. Strategy & Vision" # => New: explicit strategy stage aligns service portfolio to enterprise goals
      - "2. Portfolio & Demand" # => Merges ITIL 4 Plan + Engage demand elements
      - "3. Design & Architecture" # => Expands ITIL 4 Design & Transition; architecture is first-class
      - "4. Build & Test" # => Operationalises ITIL 4 Obtain/Build with explicit test gates
      - "5. Deploy & Release" # => Separates deployment from design; aligns to DevOps release pipelines
      - "6. Operate & Support" # => Evolution of ITIL 4 Deliver & Support; includes AI-assisted ops
      - "7. Improve & Optimise" # => Continuous improvement formalized as lifecycle stage, not embedded activity
      - "8. Retire & Transition" # => New: explicit service retirement and knowledge transfer obligations
 
    # => Advanced modules covering AI-assisted operations and platform product management rolling out through May 2026
 
  what_stays_the_same:
    - "Four Dimensions of Service Management (Organizations & People, Information & Technology, Partners & Suppliers, Value Streams & Processes)"
    # => Four Dimensions are V5-confirmed; no changes — investment in dimension assessment remains valid
    - "ITIL Guiding Principles (Focus on value, Start where you are, Progress iteratively, Collaborate, Think holistically, Keep it simple, Optimise and automate)"
    # => 7 Guiding Principles retained unchanged — training materials remain current
    - "Service Value System (SVS) as overarching governance model"
    # => SVS is V5-compatible; the lifecycle replaces SVC within SVS, not the SVS itself
    - "Practice library (34 management practices)"
    # => Practices updated but not renamed; existing practice owners retain accountability
 
  certification_pathway:
    itil_4_holders:
      - "ITIL 4 Foundation → V5 Foundation Bridge (available Q3 2026)"
      # => Bridge exam expected ~45 questions; estimated 6–8 hours study for experienced practitioners
      - "ITIL 4 Managing Professional/Strategic Leader → V5 equivalent bridge modules (available Q4 2026)"
      # => Full credential migration path confirmed by AXELOS; no expiry of existing certs during transition period
    new_candidates:
      - "ITIL V5 Foundation (primary entry point from Feb 2026)"
      - "ITIL V5 Practitioner and Specialist modules (rolling through 2026)"
      # => V5 Specialist tracks include: Product Management, AI-Assisted Operations, Platform Engineering
 
  transition_timeline:
    2026_q1: "V5 Foundation launched Feb 12; assess current ITIL 4 process maturity against 8-stage lifecycle"
    2026_q2: "Gap analysis; map existing processes to V5 stages; identify orphaned activities"
    2026_q3: "Pilot V5 lifecycle in 1-2 service domains; bridge training for senior ITSM staff"
    2026_q4: "Full rollout; update service management tooling (ServiceNow, Jira Service Management) to V5 stage model"
    2027_q1: "Post-transition maturity reassessment; close certification gap for all ITSM roles"
 
# => No forced retirement of ITIL 4 processes — transition is evolutionary, not cutover
# => Organisations running ITIL 3 still face two-generation gap; V5 Foundation is recommended direct entry

# Cloud Governance Framework — Stratos Capital Partners
# VP Cloud Engineering | Cloud Centre of Excellence
 
cloud_governance:
  accountability_model:
    cloud_owner:
      definition: "Enterprise role: VP Cloud Engineering"
      # => Single accountable owner prevents the 'everyone's cloud is nobody's cloud' failure mode
      responsibilities:
        - "Set enterprise cloud policy, standards, and guardrails"
        - "Approve cloud provider agreements (EA, committed use)"
        - "Own cloud risk register and escalate to CRO"
        - "Govern Cloud Centre of Excellence (CCoE)"
 
    cloud_custodian:
      definition: "Platform Engineering team; one designated custodian per cloud account"
      # => Custodian is operational steward — not the business owner, not the developer
      responsibilities:
        - "Implement and maintain technical guardrails (SCPs, Azure Policy, GCP Org Policies)"
        - "Monitor cost anomalies and security findings"
        - "Enforce tagging standards and enforce account baseline"
        - "Execute remediation within SLA when policy violations detected"
 
    cloud_consumer:
      definition: "Application teams, product squads, data teams consuming cloud services"
      # => Consumer is responsible for application-level security and cost efficiency within allocated budget
      responsibilities:
        - "Use approved services from cloud service catalogue"
        - "Request exceptions through formal process"
        - "Maintain application-level encryption and access controls"
        - "Participate in monthly FinOps review"
 
  policy_domains:
    cost_governance:
      budget_allocation: "Per-account budget set quarterly; breach at 80% triggers alert, 100% triggers freeze"
      # => Budget freeze at 100% prevents runaway spend; engineering lead must approve any unfreeze
      tagging_mandate: "All resources must carry: env, owner, cost-centre, project, data-classification"
      # => Untagged resources auto-suspended after 72-hour grace period; prevents unowned resource sprawl
      rightsizing: "Custodian runs rightsizing analysis monthly; >30% idle resources flagged for owner review"
 
    security_baseline:
      encryption: "All storage encrypted at rest (AES-256); all data in transit TLS 1.2+ minimum"
      # => Enforced via SCP (AWS) / Azure Policy / GCP Org Policy — deviation requires exception
      network: "No public internet exposure for data stores; all ingress via approved gateway"
      identity: "No long-lived access keys; all access via federated identity (Okta SSO); MFA mandatory"
      # => Access key exceptions require CISO approval and 90-day expiry; no permanent exceptions
      vulnerability_management: "Critical CVEs patched within 72 hours; high within 14 days"
 
    data_sovereignty:
      primary_regions: ["eu-west-1", "eu-central-1"] # => GDPR data residency — EU only for personal data
      cross_region_replication: "Allowed for DR only within EU boundary; non-EU replication requires DPO approval"
      # => Data sovereignty policy tied to GDPR Article 44-49 transfer obligations
      data_classification_enforcement: "Restricted data prohibited in public cloud unless Confidential Computing enclave approved"
 
  exception_process:
    submission: "Cloud exception request via ServiceNow RITM; owner + business justification + risk acceptance required"
    # => Exceptions without explicit risk acceptance signature are auto-rejected
    approval_matrix:
      low_risk: "Cloud Custodian approves; 30-day maximum duration"
      medium_risk: "VP Cloud Engineering approves; 90-day maximum; mandatory review at 45 days"
      high_risk: "CRO + CISO joint approval; 90-day maximum; Board Risk Committee informed"
    # => No permanent exceptions; all exceptions have expiry and mandatory review
    tracking: "All active exceptions in cloud governance register; reviewed in monthly CCoE meeting"
 
# => Control catalog maps each policy to: enforcement mechanism, detection control, remediation SLA
# => Annual cloud governance maturity assessment against NIST CSF and CCM (Cloud Controls Matrix)

| ISO 42001:2023 Clause | Clause Title                | NIST AI RMF Function | Current State                                                              | Target State                                                                | Priority | Priority Action                                                        |
| --------------------- | --------------------------- | -------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------------- | -------- | ---------------------------------------------------------------------- |
| 4                     | Context of the Organisation | GOVERN               | AI use cases inventoried informally; no formal scope                       | Formal AI scope statement; stakeholder register; interested party analysis  | HIGH     | Complete AI system inventory; define AIMS scope boundary               |
| 5                     | Leadership                  | GOVERN               | CTO owns AI informally; no Board-level AI policy                           | Board-approved AI policy; designated AI risk owner (Chief AI Officer)       | CRITICAL | Board approve AI policy and designate AI risk owner by Q3 2026         |
| 6                     | Planning                    | GOVERN + MAP         | Risk assessment for individual AI projects; no enterprise AI risk register | Enterprise AI risk register; AI objectives with measurable targets          | HIGH     | Establish enterprise AI risk register; link to APO12 risk process      |
| 7                     | Support                     | GOVERN               | Ad hoc AI training; no competency framework                                | AI competency framework; training records; awareness programme              | MEDIUM   | Define AI roles and competencies; launch AI literacy programme         |
| 8.2                   | AI Risk Assessment          | MAP + MEASURE        | Risk assessed project-by-project; no standard methodology                  | Standard AI risk assessment methodology; bias testing; adversarial testing  | HIGH     | Deploy standard AI risk assessment template for all new models         |
| 8.3                   | AI Impact Assessment        | MAP                  | No formal impact assessment process                                        | AI impact assessment for high-risk systems before deployment                | HIGH     | Define impact assessment trigger criteria aligned to EU AI Act         |
| 8.4                   | AI System Lifecycle         | MAP + MANAGE         | Lifecycle managed in MLOps platform; no governance gates                   | Formal governance gates at design, deploy, and retire milestones            | HIGH     | Add governance review gates to MLOps pipeline at three checkpoints     |
| 9                     | Performance Evaluation      | MEASURE              | Model accuracy monitored; no fairness or drift monitoring                  | Full model performance dashboard: accuracy, fairness, drift, explainability | MEDIUM   | Implement ML observability tooling; add fairness metrics to dashboards |
| 10                    | Improvement                 | MANAGE               | Incidents corrected reactively; no preventive improvement process          | AI incident register; corrective action process; lessons learned cycle      | MEDIUM   | Launch AI incident register; integrate with existing ITSM process      |
 
# => ISO 42001:2023 is a management system standard — it requires documented procedures, not just practices
 
# => NIST AI RMF 1.0 is a voluntary framework — mapping to it strengthens regulatory positioning with US regulators
 
# => GOVERN function of NIST AI RMF maps primarily to ISO 42001 Clauses 4, 5, 6, 7 — leadership and context
 
# => MAP function maps to Clauses 6, 8.2, 8.3 — risk identification and impact assessment
 
# => MEASURE function maps to Clause 9 — performance evaluation and metrics
 
# => MANAGE function maps to Clauses 8.4, 10 — lifecycle governance and improvement
 
# => Dual-framework approach avoids duplication: one control satisfies both where mapping aligns

# EU AI Act Risk Classification Decision Tree
# Eurobanc Asset Management | CCO Office
# Phased implementation: 2025–2027
 
eu_ai_act_classification:
  tier_1_unacceptable_risk:
    status: "PROHIBITED — Article 5"
    # => Prohibited uses were enforceable from August 2, 2025 (first enforcement phase)
    examples:
      - "Social scoring systems for general public by governments"
      - "Real-time biometric identification in public spaces (with narrow law enforcement exceptions)"
      - "Subliminal manipulation of human behaviour causing harm"
      - "AI that exploits vulnerabilities of specific groups (age, disability)"
    # => Financial sector context: no retail banking AI use case should approach this tier
    board_obligation: "Board must confirm no prohibited AI use in portfolio; legal opinion documented"
 
  tier_2_high_risk:
    status: "CONFORMITY ASSESSMENT REQUIRED — Annex III"
    # => High-risk AI systems require conformity assessment before market placement or use
    # => Financial sector: AI in creditworthiness assessment, fraud detection affecting individuals = high-risk
    # => Full enforcement of high-risk obligations: August 2, 2026 (second enforcement phase)
    examples:
      - "Credit scoring models affecting loan decisions"
      - "Insurance underwriting AI systems"
      - "AI-assisted recruitment and HR management"
      - "Fraud detection systems that block customer transactions"
      - "AI systems in critical infrastructure management"
    conformity_requirements:
      - "Risk management system (Article 9)"
      # => Ongoing risk identification, evaluation, mitigation — not one-time assessment
      - "Data governance (Article 10) — training data quality, bias assessment"
      - "Technical documentation (Article 11) — maintained throughout lifecycle"
      - "Transparency and provision of information (Article 13)"
      - "Human oversight measures (Article 14) — human-override capability mandatory"
      - "Accuracy, robustness and cybersecurity (Article 15)"
    board_obligation: "Board approves high-risk AI inventory; CCO certifies conformity assessment completion; Board Risk Committee informed of material high-risk deployments"
 
  tier_3_limited_risk:
    status: "TRANSPARENCY OBLIGATIONS — Article 52"
    # => Limited risk AI must disclose AI nature to affected persons
    examples:
      - "Customer-facing chatbots (must disclose AI identity)"
      - "Emotion recognition systems (must inform persons being analysed)"
      - "Deepfake or AI-generated content (must label as AI-generated)"
    board_obligation: "Board approves transparency disclosure standard; legal review of customer-facing disclosure language"
 
  tier_4_minimal_risk:
    status: "NO MANDATORY REQUIREMENTS — voluntary code of conduct encouraged"
    # => Vast majority of AI use cases fall here; no legal conformity obligations
    examples:
      - "AI-powered spam filters"
      - "Predictive text and autocomplete"
      - "AI-driven operational analytics (internal, non-consequential)"
      - "Recommendation engines for internal knowledge management"
    board_obligation: "Minimal; included in overall AI governance reporting for completeness"
 
  classification_decision_tree:
    step_1: "Is the AI use prohibited under Article 5? → YES: prohibited; NO: continue"
    step_2: "Is the AI use listed in Annex III (high-risk categories)? → YES: high-risk tier; NO: continue"
    step_3: "Does the AI interact with humans, generate content, or affect individual rights? → YES: limited risk; NO: minimal risk"
    # => Each step requires documented classification rationale — regulators will audit classification decisions
    # => Misclassification (high-risk classified as minimal) is a material compliance risk
 
  penalties:
    prohibited_violations: "Up to EUR 35M or 7% of global annual turnover (whichever higher)"
    high_risk_violations: "Up to EUR 15M or 3% of global annual turnover"
    # => Penalties calculated on global turnover — a €2B revenue bank faces up to €60M for prohibited use violations
 
# => Classification must be revisited when AI system purpose or deployment context changes
# => EU AI Act applies to providers AND deployers — asset managers deploying third-party AI models still bear obligations

# DORA ICT Risk Management Framework
# Aldgate Bank PLC | CRO Office
# DORA in force: January 17, 2025
 
dora_ict_risk_framework:
  pillar_1_governance_and_organisation:
    dora_articles: ["Art. 5", "Art. 6"]
    # => Art. 5: Management body accountability — Board owns ICT risk; cannot fully delegate
    # => Art. 6: ICT risk management framework — maintained, documented, approved by management body
 
    board_obligations:
      - "Board approves ICT risk management framework and reviews annually"
      # => 'Management body' under DORA = Board; approval cannot be delegated to CRO alone
      - "Board allocates sufficient budget and resources to ICT risk management"
      - "Board receives regular ICT risk reporting; escalation path defined in framework"
      - "Board members must have sufficient understanding of ICT risks (individual and collective)"
      # => DORA Art. 5(4): training obligations for Board on ICT risk — documented training records required
 
    governance_artifacts:
      - "ICT Risk Management Framework document (Board-approved)"
      - "ICT risk appetite statement (linked to enterprise risk appetite)"
      - "Board ICT risk training records"
 
  pillar_2_ict_risk_management:
    dora_articles: ["Art. 8", "Art. 9", "Art. 10", "Art. 11", "Art. 12", "Art. 13"]
    # => Art. 8–13 form the operational risk management cycle: identify, protect, detect, respond, recover, learn
 
    requirements:
      identification: "ICT asset inventory; dependency mapping; threat landscape assessment — Art. 8"
      protection: "Encryption, IAM, network segmentation, physical security — Art. 9"
      detection: "Anomaly monitoring, SIEM, log management with defined retention — Art. 10"
      response_recovery: "BCP, DRP, communication plans; RTO/RPO defined and tested — Art. 11"
      backup: "Backup strategy; isolation of backup systems; restoration testing — Art. 12"
      learning: "Post-incident review; root cause analysis; lessons learned cycle — Art. 13"
 
  pillar_3_ict_incident_management:
    dora_articles: ["Art. 17", "Art. 18", "Art. 19", "Art. 20"]
    # => Art. 17: incident classification criteria — major vs non-major based on materiality thresholds
    # => Art. 18–20: reporting obligations (see Example 67 for detail)
 
    classification_criteria:
      major_incident_triggers:
        - "Number of clients affected exceeds materiality threshold"
        - "Geographic spread across multiple EU member states"
        - "Duration: >24 hours continuous impact on critical functions"
        - "Reputational, financial, or operational consequences deemed material"
        - "Data loss or integrity impact on critical or sensitive information"
      # => Competent authority (national regulator) sets materiality thresholds; Aldgate uses FCA guidance
 
  pillar_4_digital_operational_resilience_testing:
    dora_articles: ["Art. 24", "Art. 25", "Art. 26"]
    # => Art. 24: basic testing programme (all entities) — annual vulnerability assessments, network security tests
    # => Art. 25–26: TLPT (Threat-Led Penetration Testing) for significant entities every 3 years
 
    basic_testing:
      frequency: "Annual minimum"
      scope: "Vulnerability assessments, network security tests, gap analyses, physical security reviews"
      # => Basic testing applies to ALL DORA-in-scope entities regardless of size
 
    tlpt:
      applicability: "Significant entities designated by competent authorities"
      frequency: "Every 3 years"
      # => TLPT simulates real threat actor TTPs against production systems
      # => TIBER-EU framework is the TLPT methodology recognised under DORA Art. 26
      scope: "Critical or important functions and supporting ICT systems"
      third_party_inclusion: "TLPT scope may include critical ICT third-party providers"
 
  pillar_5_third_party_ict_risk:
    dora_articles: ["Art. 28", "Art. 29", "Art. 30"]
    # => Art. 28: general third-party risk management principles
    # => Art. 29: key contractual provisions mandatory for critical ICT providers
    # => Art. 30: register of ICT third-party service arrangements
 
    critical_ict_providers:
      designation: "European Supervisory Authorities (EBA/ESMA/EIOPA) designate critical ICT third-party providers"
      # => Designated critical providers subject to direct regulatory oversight from ESAs
      enhanced_requirements:
        - "Full audit rights and access rights in contracts"
        - "Exit strategies and concentration risk assessment"
        - "Incident notification obligations on providers"
 
    third_party_register:
      format: "Standardised register per EBA/ESMA/EIOPA ITS (Implementing Technical Standards)"
      submission: "Annual submission to competent authority"
      # => Register covers all ICT third-party arrangements, not only critical ones
 
  penalties:
    individual_senior_management: "Up to 1,000,000 EUR for personal liability"
    entities: "Up to 2% of global annual turnover for serious violations"
    # => Penalties apply per DORA Art. 50 — competent authority enforcement

# DORA Incident Reporting and TLPT Requirements
# Thorngate Securities | Operational Resilience Function
# DORA in force: January 17, 2025
 
dora_incident_reporting:
  major_incident_lifecycle:
    initial_notification:
      deadline: "Within 4 hours of classification as major incident"
      # => 4-hour clock starts from classification, not from detection
      # => Classification decision must be made promptly — delayed classification does not extend the 4-hour window
      recipient: "Competent authority (FCA for UK-equivalent; national regulator for EU entities)"
      # => For cross-border groups: report to home-state competent authority; group-wide coordinator notified
      content_required:
        - "Incident reference number and classification (major)"
        - "Initial description: nature, geographic scope, affected critical functions"
        - "Estimated client impact (number of clients, type of service disruption)"
        - "Preliminary cause hypothesis (IT failure / cyber attack / third-party failure / unknown)"
        - "Initial containment and response actions taken"
      # => Initial notification is intentionally brief — detail follows in intermediate report
      format: "Standardised EBA/ESMA template (ITS on incident reporting)"
 
    intermediate_report:
      deadline: "Within 72 hours of initial notification"
      # => 72-hour window aligned with GDPR personal data breach notification — both may be required simultaneously
      # => Intermediate report required even if incident is still ongoing
      content_required:
        - "Updated impact assessment: clients affected, financial impact quantification"
        - "Root cause (preliminary): confirmed or updated hypothesis"
        - "Response actions: containment measures, recovery actions, third-party engagement"
        - "Updated timeline of events"
        - "Estimated resolution date if known"
        # => Material changes from initial notification must be highlighted explicitly
      regulatory_expectation: "Competent authority may issue requests for additional information within 72-hour window"
 
    final_report:
      deadline: "Within 1 month of intermediate report (or resolution if earlier)"
      # => Final report closes the regulatory incident record
      content_required:
        - "Root cause (confirmed): full technical and procedural analysis"
        - "Total impact: financial, operational, reputational — quantified"
        - "Recovery timeline: actual vs planned RTO/RPO"
        - "Lessons learned: control improvements identified"
        - "Corrective actions: with owner and implementation date"
        - "Third-party involvement: if ICT provider caused or contributed to incident"
      # => Regulators use final reports to identify systemic risk patterns across sector
      # => Poor quality final reports attract supervisory attention and follow-up interviews
 
  dora_tlpt_programme:
    applicability:
      scope: "Significant entities designated by competent authority"
      # => Designation criteria include: size, interconnectedness, criticality to financial system
      # => Thorngate designated significant entity by FCA under DORA equivalent regime
 
    frequency: "Every 3 years (Art. 26)"
    # => 3-year cycle is a minimum — entities may conduct more frequently
    # => TLPT does NOT replace annual basic testing (vulnerability assessments, pen tests)
 
    methodology:
      framework: "TIBER-EU (Threat Intelligence-Based Ethical Red Teaming)"
      # => TIBER-EU is the recognised TLPT methodology under DORA; national variants (CBEST, TIBER-NL) also accepted
      phases:
        generic_threat_intelligence: "Threat intelligence provider produces GTI report on sector-level threats"
        targeted_threat_intelligence: "TTI provider produces entity-specific intelligence: TTPs likely to target Thorngate"
        # => TTI must be produced by independent, DORA-qualified threat intelligence provider
        red_team_testing: "Red team executes attack scenarios based on TTI; no advance notice to blue team"
        # => Production systems in scope; actual attack simulation against live environment
        closure: "Purple team exercise; findings debrief with entity; remediation plan"
 
    scope_inclusions:
      - "Critical or important functions as per DORA Art. 28 classification"
      - "ICT systems supporting those functions (production only)"
      - "ICT third-party providers at entity's discretion (with provider consent)"
      # => Including third parties in TLPT scope requires explicit contract provisions — see Art. 29
 
    output_requirements:
      - "TLPT attestation certificate (issued by competent authority on completion)"
      # => Certificate required for mutual recognition across EU member states
      - "Remediation plan with risk-ranked findings"
      - "Board sign-off on remediation plan and resource allocation"
      # => Board accountability for TLPT remediation is explicit — cannot be delegated entirely to CRO
 
  combined_testing_calendar:
    annual: "Basic testing: vulnerability assessment, network security tests, BCP/DRP exercises"
    every_3yr: "TLPT (significant entities); comprehensive resilience assessment"
    # => Testing calendar approved by Board Risk Committee; gaps are reportable deficiencies

# IT Risk Register — ESG Extension
# Calloway Insurance Group | Group CRO Office
# Aligned to: TCFD, CSRD (EU Corporate Sustainability Reporting Directive)
 
esg_it_risk_register:
 
  climate_risk_to_it_infrastructure:
 
    risk_id: ESG-IT-001
    risk_title: "Physical climate risk to primary data centre — flooding and heat stress"
    # => TCFD physical risk category: acute (flood event) and chronic (rising temperatures reducing cooling efficiency)
    risk_description: "Primary data centre in coastal zone faces 1-in-50-year flood risk by 2040 under IPCC RCP4.5 scenario"
    # => Climate scenario analysis required under TCFD and CSRD — risk register must cite scenario basis
    inherent_risk_rating: HIGH
    controls:
      - "Flood barriers and elevated infrastructure: reduces acute flood exposure"
      - "Redundant geographically dispersed DR site (inland, elevation >20m)"
      # => DR site selection must consider climate trajectory, not only current risk
      - "Annual infrastructure climate resilience review against updated IPCC scenarios"
    residual_risk_rating: MEDIUM
    board_reporting: "Quarterly to Board Sustainability Committee; annual TCFD disclosure"
    csrd_linkage: "ESRS E1 (Climate Change) — physical risk disclosure; ESRS E2 (Pollution) — cooling system emissions"
 
    risk_id: ESG-IT-002
    risk_title: "Transition risk — carbon pricing impact on cloud and data centre energy costs"
    # => TCFD transition risk category: policy and legal — carbon pricing makes energy-intensive IT operations more expensive
    risk_description: "Carbon taxes increasing 15% annually (EU ETS trajectory) raise data centre energy costs by est. €2.1M/year by 2028"
    controls:
      - "Cloud workload migration to renewable-energy-certified regions (AWS eu-west-1 100% renewable)"
      - "IT energy efficiency programme: server consolidation, cold aisle containment, workload scheduling"
      - "Green IT procurement standard: minimum Energy Star rating for all hardware"
    board_reporting: "Annual to Board; included in CSRD ESRS E1 transition risk disclosure"
 
  social_governance_metrics:
 
    metric_id: ESG-IT-S01
    metric_title: "Digital inclusion — IT accessibility compliance"
    # => Social dimension: WCAG AA compliance for customer-facing IT systems is a social governance metric
    measurement: "% of customer-facing digital touchpoints meeting WCAG 2.1 AA standard"
    current_state: "67% compliant (Q1 2026 audit)"
    target_state: "100% compliant by Q4 2026"
    board_reporting: "Annual; included in CSRD ESRS S4 (Consumers and End-users) disclosure"
 
    metric_id: ESG-IT-S02
    metric_title: "IT workforce diversity and inclusion in technology roles"
    # => HR and IT joint metric — percentage of women and underrepresented groups in IT leadership
    measurement: "% women in IT leadership roles; % underrepresented groups in IT hiring"
    current_state: "28% women in IT leadership (vs 35% industry median)"
    board_reporting: "Annual; CSRD ESRS S1 (Own Workforce) disclosure"
 
  supply_chain_digital_due_diligence:
 
    risk_id: ESG-IT-SC01
    risk_title: "IT supply chain ESG risk — hardware manufacturing labour standards"
    # => CSRD ESRS S2 (Workers in Value Chain) — hardware suppliers must demonstrate labour standards compliance
    risk_description: "Key hardware suppliers in high-risk geographies for forced labour; conflict minerals exposure"
    controls:
      - "Supplier ESG questionnaire — mandatory for all IT hardware vendors >£100K annual spend"
      - "Third-party ESG audit for Tier 1 hardware suppliers every 2 years"
      - "Conflict minerals disclosure requirement in hardware procurement contracts"
    board_reporting: "Annual supply chain ESG report to Board; flagged items to Audit Committee"
 
# => ESG-IT risk register items feed into enterprise ESG risk register via ERM integration
# => Board Sustainability Committee receives ESG-IT dashboard quarterly
# => CSRD mandatory for large EU companies from FY2024 reporting; insurance groups typically in scope

| Domain              | Level 1: Initial                                       | Level 2: Managed                                           | Level 3: Defined                                                    | Level 4: Quantitatively Managed                              | Level 5: Optimising                                                         | Current Level | Priority Actions to Advance                                 |
| ------------------- | ------------------------------------------------------ | ---------------------------------------------------------- | ------------------------------------------------------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------- | ------------- | ----------------------------------------------------------- |
| Data Strategy       | No formal data strategy; ad hoc decisions              | Data strategy exists but not linked to business strategy   | Data strategy integrated with business strategy; Board-approved     | Data strategy has measurable KPIs; tracked quarterly         | Data strategy continuously adapted using business outcomes                  | 2             | Develop Board-approved data strategy with measurable KPIs   |
| Data Quality        | No data quality standards; errors corrected reactively | Quality rules defined per system; no enterprise standard   | Enterprise data quality framework; DQ scorecards per domain         | DQ metrics tracked with statistical control limits; alerting | Predictive DQ; ML-driven anomaly detection; self-healing pipelines          | 2             | Define enterprise DQ framework; deploy DQ scorecards        |
| Metadata Management | No metadata catalogue; knowledge in people's heads     | Some data dictionaries; not maintained systematically      | Enterprise metadata catalogue (Collibra/Alation); business glossary | Metadata completeness tracked; lineage coverage measured     | Automated metadata harvesting; AI-assisted lineage; active data marketplace | 1             | Procure metadata catalogue tool; build business glossary    |
| Data Architecture   | No architecture standards; siloed data stores          | Architecture principles documented; inconsistently applied | Enterprise data model; master data management for key domains       | Architecture compliance measured; deviations tracked         | Event-driven architecture; real-time data mesh; architecture as code        | 2             | Define enterprise data model for patient and financial data |
| Data Lifecycle      | Data retained indefinitely; no classification          | Retention schedules exist for some data types              | Enterprise data retention policy; classification implemented        | Retention compliance measured; automated enforcement partial | Fully automated lifecycle: classification, retention, deletion, archival    | 1             | Implement data classification; define retention schedules   |
 
<!-- => DAMA-DMBOK provides the knowledge areas; maturity levels adapted from CMMI maturity model -->
<!-- => Level 3 is the minimum viable governance posture for a regulated healthcare organisation -->
<!-- => Meridian current state is predominantly Level 1-2 — significant investment required before Level 3 -->
<!-- => Priority sequencing: Data Strategy first (enables everything else); Metadata Management second (enables Data Quality measurement) -->
<!-- => Board investment case: Level 1→3 across all domains estimated 18-24 month programme; Level 3→5 is operational optimisation horizon -->

# IT Risk Committee Escalation Structure
# Solaris Financial Services | Group CRO Office
 
risk_committee_structure:
  tier_1_it_risk_committee:
    name: "IT Risk Committee (ITRC)"
    chair: "Chief Information Security Officer (or CTO if no CISO)"
    # => CISO chair ensures cybersecurity risk receives appropriate technical scrutiny at this tier
    composition:
      - "CTO (Vice Chair)"
      - "Head of IT Operations"
      - "Head of Architecture"
      - "Head of IT Compliance"
      - "Business Risk Manager (rotating representative per business unit)"
      # => Business representative prevents IT risk becoming a purely technical committee
    quorum: "Chair + 3 members (minimum)"
    cadence: "Monthly; extraordinary sessions within 48 hours for Severity 1 incidents"
 
    escalation_thresholds_to_tier_2:
      - "IT risk with residual risk rating HIGH or CRITICAL"
      - "IT incident with financial impact >$500K or reputational impact (media coverage)"
      - "IT risk affecting regulatory compliance or causing regulatory breach"
      - "Any IT risk where ITRC cannot reach consensus on treatment"
      - "IT risk remaining open beyond agreed remediation timeline (>90 days)"
      # => Escalation thresholds must be calibrated to organisational risk appetite — these are illustrative
 
    reporting_outputs:
      - "Monthly IT risk dashboard to Group Enterprise Risk Committee"
      - "Quarterly IT risk register with heat map"
      - "Immediate escalation memo for threshold-breaching items"
 
  tier_2_enterprise_risk_committee:
    name: "Group Enterprise Risk Committee (ERC)"
    chair: "Group Chief Risk Officer"
    # => CRO chair integrates IT risk with financial, operational, strategic, and reputational risk
    composition:
      - "CFO"
      - "COO"
      - "CTO"
      - "CISO"
      - "Chief Compliance Officer"
      - "Head of Internal Audit (observer)"
      # => Internal Audit is observer only — preserves independence; attends but does not vote
    quorum: "Chair + 4 members (minimum)"
    cadence: "Bi-monthly; extraordinary session within 24 hours for crisis-level escalations"
 
    escalation_thresholds_to_tier_3:
      - "IT risk with potential financial impact >$5M"
      - "IT risk with regulatory sanction risk (regulatory enforcement action possible)"
      - "IT risk affecting strategic objectives or M&A transactions"
      - "IT risk requiring Board Risk Appetite amendment"
      - "Material IT breach or incident with systemic sector-level risk"
      # => ERC escalates selectively — Board Risk Committee must not be overwhelmed with operational detail
 
    reporting_outputs:
      - "Quarterly ERC report to Board Risk Committee (risk register summary + key escalations)"
      - "Annual enterprise risk appetite review recommendation to Board"
 
  tier_3_board_risk_committee:
    name: "Board Risk Committee (BRC)"
    chair: "Independent Non-Executive Director"
    # => Independent NED chair is market standard for regulated financial institutions
    composition:
      - "Minimum 3 Non-Executive Directors (majority independent)"
      - "Group CRO (Management attendee; not a voting member)"
      - "Group CEO (standing invitation)"
    quorum: "2 Independent NEDs minimum"
    cadence: "Quarterly; extraordinary session for crisis or regulatory enforcement"
 
    it_risk_agenda_items:
      standing:
        - "IT risk register (top 10 risks summary)"
        - "ITRC and ERC escalation items"
        - "IT risk appetite compliance status"
      annual:
        - "IT governance maturity assessment"
        - "TLPT / cybersecurity testing results"
        - "Technology strategy alignment with risk appetite"
 
# => Escalation path must be one-directional — risks escalate up, decisions and risk appetite flow down
# => De-escalation process: ITRC formally closes or downgrades risks; ERC confirms de-escalation for previously escalated items
# => Annual review of thresholds: calibrated to inflation, business growth, and regulatory developments

| #   | Due Diligence Item                        | Assessment Approach                                                     | Findings (Illustrative)                                          | Risk Rating | Integration Implication                                   |
| --- | ----------------------------------------- | ----------------------------------------------------------------------- | ---------------------------------------------------------------- | ----------- | --------------------------------------------------------- |
| 1   | IT governance maturity                    | COBIT maturity self-assessment review; interview CIO/CTO                | Ad hoc (Level 1); no formal IT governance framework              | HIGH        | Governance uplift programme required post-acquisition     |
| 2   | Information security posture              | Review last penetration test, ISMS audit, vulnerability scan            | ISO 27001 not certified; last pen test >18 months ago            | HIGH        | Security remediation plan required before integration     |
| 3   | Regulatory compliance obligations         | Compliance register review; PCI DSS, GDPR, PSD2 status                  | PCI DSS Level 1 compliant; GDPR gaps identified                  | MEDIUM      | GDPR remediation plan; no impact on PCI compliance        |
| 4   | Technology architecture                   | Architecture diagram review; technology stack inventory                 | Monolithic legacy core; 15-year-old middleware                   | HIGH        | Architecture modernisation required; 3-5 year horizon     |
| 5   | Technical debt quantification             | Code quality assessment; deferred maintenance backlog                   | £4.2M deferred maintenance backlog identified                    | HIGH        | £4.2M to be reflected in acquisition price adjustment     |
| 6   | Cloud strategy and posture                | Cloud account inventory; governance maturity; cost structure            | 3 unmanaged AWS accounts; no cloud governance                    | MEDIUM      | Cloud governance framework required; consolidate accounts |
| 7   | Data governance and data quality          | Data inventory; GDPR Article 30 records; data quality assessment        | No data catalogue; GDPR Article 30 register incomplete           | HIGH        | Data governance programme required; regulatory risk       |
| 8   | IT contracts and vendor dependencies      | IT contract review; critical vendor list; exit provisions               | 2 critical vendor contracts with no exit provisions              | HIGH        | Renegotiate contracts; concentration risk mitigation      |
| 9   | Disaster recovery and business continuity | BCP/DRP documentation; last test results; RTO/RPO status                | DR site exists; last tested 3 years ago; RPO not defined         | MEDIUM      | DR test programme required; define RPO by system tier     |
| 10  | Cybersecurity incident history            | Incident register review; breach notification history; insurance claims | 2 unreported incidents in past 24 months (potential GDPR breach) | CRITICAL    | Legal review; potential GDPR notification obligation      |
| 11  | IT staffing and key person dependencies   | Org chart; key person risk assessment; employment contract review       | 3 critical roles held by single individuals; no succession       | HIGH        | Retention packages; knowledge transfer programme          |
| 12  | Software licensing compliance             | SAM (Software Asset Management) review; license audit history           | SAM audit never conducted; estimated 35% unlicensed software     | MEDIUM      | License remediation required; estimated £180K cost        |
| 13  | Open source licence obligations           | SBOM (Software Bill of Materials) review; GPL/LGPL exposure             | GPL-licensed code in commercial product (undisclosed)            | HIGH        | Legal review; code remediation or licence purchase        |
| 14  | IT insurance coverage                     | Cyber insurance policy review; coverage limits; exclusions              | Cyber insurance: £2M limit (inadequate for business scale)       | MEDIUM      | Increase cyber insurance coverage post-acquisition        |
| 15  | Network architecture and segmentation     | Network diagram review; segmentation controls; firewall rule review     | Flat network; no production/dev segregation                      | HIGH        | Network remediation required before integration           |
| 16  | Identity and access management            | IAM review; privileged access management; MFA adoption                  | No PAM solution; 60% MFA adoption; shared accounts present       | HIGH        | IAM uplift programme; shared account elimination          |
| 17  | IT change management process              | Change management policy; CAB existence; change success rate            | Informal change process; no CAB; frequent outages                | MEDIUM      | ITSM tool deployment; change management training          |
| 18  | Intellectual property — IT assets         | IP ownership review; code ownership; patent review                      | Core payment algorithm IP ownership ambiguous                    | HIGH        | IP legal review; clarify ownership before completion      |
| 19  | Integration complexity assessment         | API inventory; data exchange patterns; integration architecture         | 47 bespoke integrations; no API documentation                    | HIGH        | Integration programme 18–24 months; high cost             |
| 20  | IT costs and budget accuracy              | IT cost allocation review; shadow IT identification; budget variance    | 22% shadow IT spend identified; budget underreported by £1.1M    | MEDIUM      | True-up IT budget in acquisition model                    |
 
<!-- => CRITICAL items (row 10) require immediate legal review before signing — may affect representations and warranties -->
<!-- => HIGH items (rows 1,2,4,5,7,8,11,13,15,16,18,19) collectively represent material IT integration risk -->
<!-- => Total estimated IT remediation cost: £8.4M over 36 months — recommended price adjustment or indemnity -->
<!-- => IT due diligence findings must feed directly into SPA (Sale and Purchase Agreement) representations and warranties -->

# Regulatory Examination Readiness Assessment
# Arcadian Federal Bank | CCO Office
# Regulator: OCC (Office of the Comptroller of the Currency)
# Exam type: IT Safety and Soundness Examination (FFIEC IT Handbook)
 
examination_readiness:
  domain_assessments:
    it_governance:
      occ_expectation: "Board and senior management demonstrate active oversight of IT risk; IT strategy aligned to business strategy"
      # => FFIEC IT Handbook — Management booklet: active oversight = documented meeting minutes, not passive ratification
      current_state: "Board IT Governance Committee established; quarterly IT risk reports to Board; IT strategy approved 2025"
      readiness_rating: SATISFACTORY
      evidence_inventory:
        - "Board IT Governance Committee charter and minutes (last 4 quarters)"
        - "IT risk appetite statement (Board-approved)"
        - "IT strategic plan 2025–2027"
        - "IT risk dashboard — last 4 quarters"
      gap: "None identified; evidence package complete"
 
    information_security:
      occ_expectation: "Comprehensive information security programme; FFIEC Cybersecurity Assessment Tool (CAT) completed; results reviewed by Board"
      # => OCC examiners routinely request CAT results — incomplete CAT is a leading indicator of examination finding
      current_state: "CAT completed Q4 2025; overall profile: Evolving (target: Intermediate)"
      readiness_rating: NEEDS_IMPROVEMENT
      evidence_inventory:
        - "FFIEC CAT results (Q4 2025)"
        - "Information Security Programme document"
        - "Penetration test results (last 12 months)"
        - "Security incident log"
      gap: "CAT profile below target maturity; 3 CAT deficiencies not yet remediated"
      remediation_actions:
        - "Close 3 CAT deficiencies by exam date: PAM deployment, third-party monitoring, SIEM alert tuning"
        - "Update CAT to reflect remediation; present to Board IT Committee before exam"
 
    operational_resilience:
      occ_expectation: "Documented BCP/DRP; tested within 12 months; RTO/RPO defined for critical systems"
      current_state: "BCP documented; DRP last tested 14 months ago (outside 12-month window)"
      readiness_rating: NEEDS_IMPROVEMENT
      gap: "DR test overdue; must be completed before exam date"
      remediation_actions:
        - "Schedule and execute DR test within 6 weeks"
        - "Document results, findings, and remediation plan"
 
    third_party_management:
      occ_expectation: "Third-party risk management programme covering due diligence, contract management, ongoing monitoring, and exit planning (OCC Bulletin 2013-29)"
      # => OCC Bulletin 2013-29 is the primary guidance for third-party risk management; exam will test against it directly
      current_state: "TPRM programme documented; 67% of critical vendors with completed annual reviews"
      readiness_rating: NEEDS_IMPROVEMENT
      gap: "33% of critical vendors (4 vendors) have overdue annual reviews"
      remediation_actions:
        - "Complete 4 overdue vendor reviews before exam date"
        - "Update TPRM register to reflect completion"
 
  exam_management_protocol:
    pre_exam:
      - "Designate Examination Coordinator (CCO direct report)"
      # => Single point of contact prevents examiner requests getting lost or inconsistently answered
      - "Prepare evidence room: organised by examination topic; indexed document inventory"
      - "Brief all document custodians: respond to examiners within 24 hours; escalate to Coordinator if uncertain"
      - "Mock exam interview: CIO and CISO practice responses to standard FFIEC IT examination questions"
 
    during_exam:
      - "Daily debrief with exam team lead: track open requests; identify emerging examiner concerns early"
      # => Early identification of examiner concerns allows corrective context before draft findings are written
      - "Escalate any proposed finding to CCO within 24 hours — do not accept findings without review"
      - "Document all verbal responses confirmed in writing within 48 hours"
 
    post_exam:
      - "Review draft examination report; respond to proposed findings with facts and remediation timeline"
      - "Board briefed on examination findings before regulator receives final report"
      - "Remediation plan with owner, milestone dates, Board sign-off submitted within 30 days of final report"
 
# => Examination preparation is a governance function, not a compliance team activity alone
# => Board must be briefed before, during, and after examination — not only when findings are issued

# Continuous Compliance Automation Architecture
# Cascade Technology Group | IT Compliance Function
# Target: SOC 2 Type II + ISO 27001 + PCI DSS
 
continuous_compliance_architecture:
  control_evidence_pipeline:
    # => Architecture is tool-agnostic; examples show representative tooling categories
 
    control_layer:
      description: "Each in-scope control has an unambiguous, machine-readable definition"
      example_control:
        control_id: "CC6.1"
        # => CC6.1 = SOC 2 Common Criteria — logical and physical access controls
        control_title: "Logical access security software, infrastructure, and architectures"
        control_statement: "Access to production systems restricted to authorised individuals; access reviewed quarterly"
        # => Control statement must be testable — vague statements cannot be automated
 
    automated_evidence_source:
      description: "Each control maps to one or more automated evidence sources"
      example_mappings:
        - control_id: "CC6.1"
          source_type: "IAM system API" # => e.g. Okta, AWS IAM, Azure AD
          evidence_artifact: "Access control list export — all production system accounts with roles"
          collection_method: "API pull — scheduled"
        - control_id: "CC6.1"
          source_type: "SIEM log export"
          evidence_artifact: "Access review completion log — quarterly review records"
          collection_method: "Log aggregation — event-driven on review completion"
        - control_id: "CC6.1"
          source_type: "Privileged Access Management (PAM) system"
          evidence_artifact: "Privileged account session recordings — 90-day retention"
          collection_method: "Automated archive"
 
    collection_frequency:
      continuous: "Real-time event logs (SIEM, PAM session logs, cloud trail events)"
      daily: "System configuration snapshots, vulnerability scan results"
      weekly: "Patch compliance status, backup verification logs"
      quarterly: "Access review completions, vendor assessment updates"
      # => Collection frequency drives evidence freshness; auditors value continuous over quarterly samples
 
    validation_rule:
      description: "Each evidence artifact has an automated validation rule"
      example_rules:
        - artifact: "Production access control list"
          rule: "No accounts without MFA; no shared accounts; no accounts inactive >90 days"
          # => Validation rule is deterministic — pass/fail with timestamp
          failure_action: "Immediate alert to IAM owner; ticket auto-created in ITSM"
        - artifact: "Access review completion log"
          rule: "Quarterly review completed within 15 days of quarter-end for all production systems"
          failure_action: "Escalation to CISO after 7-day grace period; finding opened in compliance register"
 
    exception_workflow:
      trigger: "Validation rule failure or control gap detected"
      # => Exceptions are not failures — they are managed deviations with documented treatment
      steps:
        1: "Auto-create exception ticket with control ID, violation detail, and owner"
        2: "Owner confirms: (a) false positive — provide evidence to close, or (b) real gap — provide remediation plan"
        3: "If remediation: risk acceptance required from CISO/CCO for >30-day remediation timeline"
        4: "Exception tracked in compliance register until closed"
      # => Exception workflow creates the 'documented management of exceptions' that auditors require
 
    audit_trail:
      format: "Immutable, timestamped evidence repository"
      # => Immutability is critical — auditors must be able to confirm evidence was not altered post-collection
      retention: "7 years minimum (SOC 2 / PCI DSS / regulatory minimum)"
      auditor_access: "Read-only auditor portal; evidence package auto-generated per audit period"
      # => Automated evidence package generation eliminates 80% of audit preparation effort
 
  regulatory_change_intelligence:
    method: "NLP-based regulatory change monitoring"
    # => NLP parses regulatory publications (OCC, FCA, ESMA, NIST updates) and maps to control library
    trigger: "New regulatory publication → NLP analysis → control gap identification → CCO notification"
    # => Predictive risk scoring: new regulation assessed for likelihood of creating existing control gap
    human_review: "Compliance analyst reviews NLP output; confirms or rejects control mapping"
 
# => Continuous compliance does not eliminate audits — it transforms audit from evidence gathering to evidence validation
# => ROI: 6-week SOC 2 prep reduced to 2 days; estimated saving £180K annually in external audit preparation costs

# ServiceNow GRC Process Mapping
# Meridian Asset Management | VP Risk and Compliance
 
servicenow_grc_modules:
  risk_assessment_workflow:
    module: "ServiceNow Risk Management"
    # => ServiceNow Risk Management uses entity-risk-response structure; maps to ISO 31000 risk process
 
    process_steps:
      1_risk_identification:
        actor: "Risk Owner (Business Unit)"
        action: "Create risk record: title, description, category, affected entity"
        # => Risk category taxonomy defined by CRO; enforced via ServiceNow choice list (no free-text categories)
        servicenow_form: "Risk form → Risk Category, Risk Entity, Risk Description"
 
      2_risk_assessment:
        actor: "Risk Manager"
        action: "Assess inherent likelihood × impact; assign risk owner; identify existing controls"
        # => ServiceNow risk matrix: 5×5 likelihood/impact; heat map auto-generated
        servicenow_feature: "Risk matrix scoring with auto-calculated inherent risk rating"
 
      3_risk_treatment:
        actor: "Risk Owner"
        action: "Select treatment (accept/mitigate/transfer/avoid); define response tasks with due dates"
        servicenow_feature: "Response task auto-created and assigned; SLA clock starts"
 
      governance_review_gate:
        trigger: "Inherent risk rating = HIGH or CRITICAL"
        # => High/critical risks require CRO review before risk record is published to risk register
        reviewer: "CRO (or delegate for MEDIUM risk)"
        action: "CRO reviews risk assessment; approves or returns for revision"
        servicenow_workflow: "Approval workflow triggered on HIGH/CRITICAL rating; CRO approval required to advance"
 
  control_testing_module:
    module: "ServiceNow Policy and Compliance"
    # => Control testing module links controls to risks; tracks testing schedule and results
 
    process_steps:
      1_control_schedule:
        actor: "Compliance Manager"
        action: "Define testing frequency per control tier (continuous/quarterly/annual)"
        servicenow_feature: "Control scheduled tests auto-created per frequency; assigned to control tester"
 
      2_control_testing:
        actor: "Control Tester"
        action: "Execute test procedure; record evidence; score result (effective/partially effective/ineffective)"
        servicenow_feature: "Evidence attachment; test result with timestamp; auto-link to audit trail"
 
      governance_review_gate:
        trigger: "Control test result = INEFFECTIVE"
        reviewer: "Control Owner + Risk Manager"
        action: "Review finding; accept remediation plan; escalate if control is key control for HIGH risk"
        # => Key controls for HIGH risks with INEFFECTIVE results escalate to CRO within 48 hours
 
  audit_management_module:
    module: "ServiceNow Audit Management"
    # => Audit Management supports internal audit planning, fieldwork, finding management, and report generation
 
    process_steps:
      1_audit_planning:
        actor: "Chief Audit Executive"
        action: "Create audit engagement; define scope, objectives, resource plan"
        servicenow_feature: "Audit plan auto-populated from risk-based audit universe"
        # => Risk-based audit universe maintained in ServiceNow; high-risk entities auto-prioritised
 
      2_fieldwork:
        actor: "Internal Auditor"
        action: "Issue RFIs (Requests for Information); document workpapers; raise draft findings"
        servicenow_feature: "RFI workflow with due date tracking; workpaper attachment; finding lifecycle"
 
      3_finding_management:
        actor: "Auditee (Management)"
        action: "Respond to draft findings; agree management action; commit to implementation date"
        servicenow_feature: "Management response workflow; action owner assigned; due date set"
 
      governance_review_gate:
        trigger: "Audit report ready for issue"
        reviewer: "CAE → CRO → Audit Committee"
        action: "CAE reviews final report; CRO reviews for risk register alignment; Audit Committee approves"
 
  policy_lifecycle_module:
    module: "ServiceNow Policy and Compliance — Policy Management"
    process_steps:
      1_policy_authoring: "Policy owner drafts policy in ServiceNow; version controlled"
      2_review_cycle: "Legal, Compliance, HR, Risk review via parallel approval workflow"
      3_approval: "Board or ExCo approval (depending on policy tier) via governance review gate"
      governance_review_gate:
        trigger: "Policy requires Board approval (Tier 1 policies)"
        # => Tier 1 policies: Information Security, Data Protection, Risk Appetite — require Board approval
        action: "Policy auto-routed to Board secretary for Board agenda inclusion"
      4_publication: "Approved policy published to policy portal; all staff notified"
      5_attestation: "Annual staff attestation tracked in ServiceNow; compliance rate reported to Audit Committee"
      6_review_trigger: "Policy auto-flagged for review at defined interval or on regulatory change"
 
# => ServiceNow GRC integration point: risk register feeds audit universe feeds control testing feeds policy review
# => Single platform eliminates spreadsheet version control risk and provides audit-trail integrity

| COBIT Domain                       | Thorngate Score (2026) | Industry Median (Logistics) | Gap  | Strategic Importance | Priority | Estimated Investment | Expected Maturity Gain |
| ---------------------------------- | ---------------------- | --------------------------- | ---- | -------------------- | -------- | -------------------- | ---------------------- |
| EDM — Evaluate, Direct and Monitor | 2.1                    | 3.2                         | -1.1 | CRITICAL             | 1        | £420K                | +1.2 (target 3.3)      |
| APO — Align, Plan and Organise     | 2.4                    | 3.0                         | -0.6 | HIGH                 | 2        | £280K                | +0.8 (target 3.2)      |
| BAI — Build, Acquire and Implement | 2.8                    | 3.1                         | -0.3 | MEDIUM               | 4        | £150K                | +0.5 (target 3.3)      |
| DSS — Deliver, Service and Support | 3.2                    | 3.0                         | +0.2 | MEDIUM               | 5        | £80K (maintain)      | Maintain 3.2           |
| MEA — Monitor, Evaluate and Assure | 1.9                    | 2.8                         | -0.9 | HIGH                 | 3        | £220K                | +1.0 (target 2.9)      |
 
<!-- => Benchmarking uses COBIT 2019 performance management scale: 0 (Incomplete) through 5 (Optimising) -->
<!-- => Industry median sourced from ISACA COBIT benchmarking database (logistics sector, >£500M revenue band) -->
<!-- => EDM domain gap (-1.1) is largest and in most strategically critical domain — prioritised first -->
<!-- => DSS is the only domain at or above industry median — maintenance investment only, no uplift programme -->
<!-- => MEA gap (-0.9) reflects absence of IT governance monitoring and KPI framework — high-priority because it enables measurement of all other domains -->
<!-- => Total investment: £1.15M over 24 months; expected ROI: reduced audit findings, regulatory penalties avoided, IT incident cost reduction -->
<!-- => CFO business case: £1.15M investment vs £3.2M estimated annual cost of governance failures (audit findings, incidents, regulatory actions) -->

# IT Governance Transformation Roadmap
# Arcturus Financial Group | Group CIO Office
# Mandate: Board resolution following OCC examination findings (Q1 2026)
 
transformation_programme:
  current_state_assessment:
    cobit_maturity_overall: 1.8 # => Below industry median of 2.9; examination findings concentrated in EDM01, EDM03, MEA01
    key_gaps:
      - "No Board-approved IT governance framework"
      - "IT risk appetite not defined"
      - "IT KPI framework absent — governance decisions made without metrics"
      - "Third-party risk programme underdeveloped (OCC Bulletin 2013-29 gaps)"
    regulatory_findings: "3 MRAs (Matters Requiring Attention) from OCC; 12-month remediation window"
 
  transformation_vision:
    statement: "By 2028, Arcturus IT governance operates at COBIT maturity Level 3+ across all domains, with Board-level oversight embedded in quarterly governance rhythms and regulatory examination findings reduced to zero MRAs."
    # => Vision must be measurable and time-bounded — aspirational statements without metrics lose Board confidence
 
  year_1_okrs:
    objective: "Establish governance foundations and close regulatory findings"
    key_results:
      - "Board approves IT Governance Framework and IT Risk Appetite by Q2 2026"
      # => MRA #1 requires Board-approved framework; this KR closes the regulatory finding
      - "All 3 OCC MRAs remediated and evidenced by Q3 2026"
      - "IT KPI dashboard live and presented to Board IT Committee by Q4 2026"
      - "COBIT EDM domain maturity from 1.4 → 2.5 (verified by external assessor)"
      - "TPRM programme gap closed: 100% of critical vendors with completed annual reviews by Q4 2026"
    # => Year 1 is regulatory remediation and foundation-building — not strategic transformation yet
 
  year_2_okrs:
    objective: "Operationalise governance processes and embed risk culture"
    key_results:
      - "COBIT overall maturity from 1.8 → 2.7 (all domains; external assessment)"
      - "IT governance operating model (RACI) published and adopted across all business units"
      - "ITIL V5 transition: core service management processes aligned to 8-stage lifecycle"
      - "Continuous compliance automation deployed for SOC 2 and PCI DSS controls"
      - "IT governance training: 100% of Board members complete ICT risk literacy programme"
      # => DORA Art. 5(4) training obligation for Board — KR aligns regulatory requirement with cultural goal
    # => Year 2 shifts from fixing known problems to building governance capability
 
  year_3_okrs:
    objective: "Achieve governance maturity target and sustain through embedded processes"
    key_results:
      - "COBIT overall maturity 3.0+ across all domains (target met)"
      - "Zero OCC MRAs in next regulatory examination"
      - "IT governance programme embedded in annual planning cycle; no standalone programme office required"
      - "IT governance benchmarked vs industry peers; Arcturus at or above median in all COBIT domains"
      - "IT governance culture survey score ≥75% (baseline established Year 1)"
    # => Year 3 moves from programme to steady-state governance — the transformation is complete when it sustains itself
 
  change_management_plan:
    sponsor: "Group CIO (primary); CEO (executive sponsor for Board mandate)"
    # => Dual sponsorship: CIO drives execution; CEO signals Board-level commitment to organisation
    stakeholder_engagement:
      board: "Quarterly progress updates; milestone sign-offs; OKR tracking dashboard"
      executive_committee: "Monthly transformation update; resource allocation decisions"
      business_units: "Quarterly RACI workshops; governance awareness sessions"
      it_teams: "Change champion network; bi-monthly all-hands on governance progress"
    resistance_management:
      anticipated_resistance: "IT teams perceive governance as overhead; business units resist RACI accountability"
      # => Most governance transformations fail due to cultural resistance, not technical difficulty
      mitigation:
        - "Connect governance outcomes to individuals' pain points (escalation conflicts, incident blame)"
        - "Quick wins in Year 1 visible to sceptics (fewer escalation conflicts, faster risk decisions)"
        - "Change champions embedded in each business unit — peer influence, not top-down mandate"
 
  programme_governance_structure:
    programme_board:
      chair: "Group CIO"
      members: ["CFO", "CRO", "CCO", "Head of Internal Audit (observer)"]
      cadence: "Monthly"
      # => Programme Board governs the transformation — separate from IT Risk Committee which governs IT risk
    pmo: "IT Governance Transformation PMO; reports to Programme Board"
    external_assessor: "Independent COBIT assessor validates maturity scores annually"
    # => External validation prevents grade inflation and provides credibility to Board and regulators
 
# => Transformation is complete when governance processes run without the PMO — institutionalisation is the success criterion

# Enterprise TPRM Programme Design
# Solaris Capital Markets | CRO Office
# Regulatory alignment: DORA Art. 28-30, OCC Bulletin 2013-29
 
tprm_programme:
  inherent_risk_tiering:
    # => Tiering determines due diligence intensity — must be defined before onboarding any vendor
 
    tier_1_critical:
      criteria:
        - "Supports critical or important functions (DORA definition)"
        - "Provides core banking / trading / settlement systems"
        - "Processes restricted personal data (>10,000 records) or financial data"
        - "Single point of failure — no viable short-term alternative"
      # => DORA: financial entities must identify critical ICT third-party providers — Tier 1 maps to this
      examples: ["Core banking system provider", "Payment network", "Cloud infrastructure provider"]
      vendor_count_estimate: 8 # => Typical large bank: 5-15 Tier 1 vendors
 
    tier_2_high:
      criteria:
        - "Supports important but not critical functions"
        - "Access to confidential data; no restricted data"
        - "Viable alternative exists within 6 months"
      examples: ["HR system", "CRM platform", "IT monitoring tooling"]
      vendor_count_estimate: 45
 
    tier_3_standard:
      criteria:
        - "No access to sensitive data"
        - "No single point of failure risk"
        - "Readily replaceable within 30 days"
      examples: ["Office supplies", "Courier services", "Non-IT professional services"]
      vendor_count_estimate: 320
 
  due_diligence_playbook:
    tier_1_critical_dd:
      pre_onboarding:
        - "Full information security assessment (ISO 27001 / SOC 2 Type II review)"
        # => DORA Art. 29: audit rights and access rights must be in contracts for ICT third-party providers
        - "Financial health and business continuity review"
        - "Data protection impact assessment (if personal data processed)"
        - "Concentration risk assessment (market alternatives analysis)"
        - "On-site visit or independent audit (no self-certification for Tier 1)"
        - "Legal review of contract: audit rights, DORA Art. 29 mandatory clauses, exit provisions"
      approval: "CRO + CISO + Legal sign-off; Board Risk Committee informed"
      # => Tier 1 vendor approval cannot be delegated below CRO level
 
    tier_2_high_dd:
      pre_onboarding:
        - "Questionnaire-based security assessment (SIG or equivalent)"
        - "SOC 2 Type II or equivalent certification review"
        - "Contract review: data protection, termination rights, audit rights"
      approval: "Risk Manager + Legal sign-off"
 
    tier_3_standard_dd:
      pre_onboarding:
        - "Standard vendor registration and basic commercial due diligence"
        - "No information security assessment required"
      approval: "Procurement Manager sign-off"
 
  ongoing_monitoring:
    tier_1_critical:
      - "Annual comprehensive reassessment (full due diligence repeated)"
      - "Quarterly vendor service review (SLA performance, incident reporting)"
      - "Continuous monitoring: SIEM integration for vendor access logs"
      # => DORA Art. 28: ongoing monitoring of critical ICT providers — automated log monitoring satisfies this
      - "Annual on-site or independent audit"
      - "Bi-annual concentration risk review"
    tier_2_high:
      - "Annual questionnaire reassessment"
      - "Semi-annual service review"
    tier_3_standard:
      - "Triennial registration renewal"
 
  exit_and_contingency_planning:
    tier_1_critical_requirements:
      exit_strategy:
        - "Documented exit strategy for each Tier 1 vendor; reviewed annually"
        # => DORA Art. 28(8): exit strategies mandatory for critical ICT third-party providers
        - "Data portability: confirm data export capability and format"
        - "Knowledge transfer: documented runbook for internal or alternative provider"
        - "Transition timeline: realistic assessment (most core system transitions require 18–36 months)"
      contingency:
        - "Business continuity plan for vendor failure scenario: manual workaround or backup provider"
        - "Tested at least annually as part of BCP/DRP programme"
    concentration_risk:
      threshold: "No single ICT provider >40% of critical functions; no single cloud provider >60% of workloads"
      # => Concentration risk thresholds set by Board; breach triggers mandatory diversification plan
 
  board_reporting:
    quarterly:
      - "Third-party risk register: top 10 risks by residual rating"
      - "Tier 1 vendor health dashboard: SLA performance, open findings, financial health indicators"
      - "DORA third-party register status: completeness and submission readiness"
    annual:
      - "TPRM programme maturity assessment"
      - "Concentration risk analysis"
      - "Exit strategy review summary for Tier 1 vendors"
    # => Board Risk Committee receives quarterly; Audit Committee receives annual programme maturity
 
# => DORA Art. 30: register of all ICT third-party service arrangements — submitted annually to competent authority
# => TPRM programme effectiveness measured by: % critical vendors with current assessments, concentration risk ratio, open findings age

# COSO ICIF 2013 — IT Control Mapping
# Meridian Energy Group | Internal Audit
# Reference: COSO ICIF 2013; Feb 2026 supplement "Achieving Effective Internal Control Over Generative AI"
 
coso_it_control_mapping:
  component_1_control_environment:
    # => Control environment sets the tone; IT governance structure is the primary IT control environment element
    principles:
      P01_commitment_to_integrity:
        description: "Organisation demonstrates commitment to integrity and ethical values"
        it_control_domain: "IT Code of Conduct; acceptable use policy; IT ethics training"
        # => IT ethics training must address AI use, data privacy, and cybersecurity obligations
        generative_ai_supplement: "Feb 2026 supplement: organisations must establish AI ethics principles in control environment"
        soc2_mapping: "CC1.1"
 
      P02_board_oversight:
        description: "Board demonstrates independence from management and exercises oversight"
        it_control_domain: "Board IT Governance Committee; CIO reporting to Board; IT risk appetite"
        soc2_mapping: "CC1.2"
 
      P03_management_structure:
        description: "Management establishes structure, authorities, and responsibilities"
        it_control_domain: "IT RACI; IT organisational design; IT role definitions; segregation of duties"
        # => Segregation of duties is a direct COSO P03 IT control requirement — no single person controls end-to-end process
 
      P04_commitment_to_competence:
        description: "Organisation demonstrates commitment to attract, develop, retain competent individuals"
        it_control_domain: "IT competency framework; training records; certification requirements"
        generative_ai_supplement: "Feb 2026: AI competency requirements added — staff using GenAI must be trained on limitations and controls"
 
      P05_accountability:
        description: "Organisation holds individuals accountable for internal control responsibilities"
        it_control_domain: "IT performance management; KPIs tied to control responsibilities; incident accountability"
 
  component_2_risk_assessment:
    principles:
      P06_objectives:
        description: "Organisation specifies objectives with sufficient clarity to enable risk identification"
        it_control_domain: "IT strategic objectives; SLA targets; RTO/RPO definitions — clear enough to be testable"
 
      P07_risk_identification:
        description: "Organisation identifies risks to achievement of objectives and analyses them"
        it_control_domain: "IT risk register; threat and vulnerability assessments; third-party risk identification"
 
      P08_fraud_risk:
        description: "Organisation considers potential for fraud in assessing risks"
        it_control_domain: "Privileged access monitoring; segregation of duties; IT fraud detection controls"
        # => IT fraud risk includes insider threat (privileged user abuse) and external (social engineering, ransomware)
 
      P09_change_management:
        description: "Organisation identifies and assesses changes that could impact internal control"
        it_control_domain: "IT change management (CAB); major release governance; technology refresh assessment"
        generative_ai_supplement: "Feb 2026: GenAI model updates and prompt changes are COSO P09 change events — require change management"
 
  component_3_control_activities:
    principles:
      P10_control_selection:
        description: "Organisation selects and develops control activities that mitigate risks"
        it_control_domain: "IT General Controls (ITGC): logical access, change management, computer operations, program development"
        # => ITGC are the foundational controls external auditors rely on for SOX; P10 is the principle they test
 
      P11_technology_controls:
        description: "Organisation selects and develops general controls over technology"
        it_control_domain: "SDLC controls; code review; test environment separation; deployment controls"
        # => P11 specifically addresses technology controls — often directly tested in IT audits
 
      P12_policy_deployment:
        description: "Organisation deploys control activities through policies and procedures"
        it_control_domain: "IT policy library; procedure documentation; policy attestation; exception management"
 
  component_4_information_and_communication:
    principles:
      P13_relevant_information:
        description: "Organisation obtains or generates relevant, quality information"
        it_control_domain: "Data quality controls; system logging; reporting integrity; master data management"
 
      P14_internal_communication:
        description: "Organisation communicates information internally to support control objectives"
        it_control_domain: "IT governance reporting cadence; incident communication; security awareness"
        generative_ai_supplement: "Feb 2026: GenAI output used in decision-making must be communicated with appropriate context on AI limitations"
 
      P15_external_communication:
        description: "Organisation communicates with external parties regarding internal control"
        it_control_domain: "Regulatory reporting; breach notification; third-party audit reporting; SOC 2 reports"
 
  component_5_monitoring:
    principles:
      P16_ongoing_monitoring:
        description: "Organisation selects, develops, and performs ongoing evaluations"
        it_control_domain: "Continuous control monitoring; SIEM alerts; IT KPI dashboards; automated control testing"
        generative_ai_supplement: "Feb 2026: GenAI systems require ongoing monitoring of model outputs for accuracy, bias, and hallucination"
        # => Continuous compliance automation (Example 73) directly implements COSO P16
 
      P17_deficiency_reporting:
        description: "Organisation evaluates and communicates internal control deficiencies"
        it_control_domain: "IT audit finding management; deficiency escalation (significant deficiency / material weakness); remediation tracking"
        # => SOX distinction: control deficiency < significant deficiency < material weakness — escalation to AC required for latter two
 
# => COSO ICIF 2013 is the internal control framework; COBIT provides the IT governance framework — they are complementary
# => External auditors (PwC, Deloitte, KPMG, EY) use COSO ICIF when assessing SOX IT controls
# => Feb 2026 supplement is advisory — not a revision of ICIF 2013 — but auditors will expect consideration of GenAI risks under existing principles

## IT Governance Investment Business Case — Calloway Retail Group
 
### Investment Summary
 
| Item                                      | Year 1       | Year 2       | Year 3       | Total (3yr)    |
| ----------------------------------------- | ------------ | ------------ | ------------ | -------------- |
| GRC Platform (ServiceNow GRC licence)     | £280,000     | £140,000     | £140,000     | £560,000       |
| External COBIT Assessment (annual)        | £85,000      | £85,000      | £85,000      | £255,000       |
| Internal Programme Office (0.5 FTE)       | £60,000      | £60,000      | £30,000      | £150,000       |
| Training and Certification (CGEIT, CRISC) | £45,000      | £25,000      | £25,000      | £95,000        |
| Policy and Framework Development          | £120,000     | £40,000      | £20,000      | £180,000       |
| **Total Programme Cost**                  | **£590,000** | **£350,000** | **£300,000** | **£1,240,000** |
 
<!-- => Year 1 highest cost: platform implementation + framework development are one-time investments -->
<!-- => Year 2-3 cost is ongoing operational cost of sustaining governance maturity -->
 
### Cost of Governance Failures (3-Year Historical Baseline)
 
| Failure Category                                           | Annual Cost    | 3-Year Total   | Source                         |
| ---------------------------------------------------------- | -------------- | -------------- | ------------------------------ |
| IT audit findings — remediation cost                       | £380,000       | £1,140,000     | Internal Audit annual reports  |
| Regulatory penalties (ICO fine, FCA fine)                  | £220,000       | £660,000       | Finance — regulatory penalties |
| IT incident cost (P1/P2 incidents — governance root cause) | £490,000       | £1,470,000     | ITSM incident cost analysis    |
| Third-party risk failures (SLA penalties, recovery)        | £150,000       | £450,000       | Vendor management reports      |
| **Total Annual Governance Failure Cost**                   | **£1,240,000** | **£3,720,000** |                                |
 
<!-- => Governance failure cost baseline uses historical actuals — not estimates — for CFO credibility -->
<!-- => IT incident costs attributed to governance root cause: incidents caused by absent change management, unclear accountability, or undocumented procedures -->
 
### NPV and Payback Analysis
 
| Metric                                                         | Value       | Assumption                                                      |
| -------------------------------------------------------------- | ----------- | --------------------------------------------------------------- |
| Annual benefit (failure cost reduction — 60% reduction target) | £744,000/yr | Conservative: governance programme reduces failure costs by 60% |
| 3-Year total benefit                                           | £2,232,000  |                                                                 |
| 3-Year total cost                                              | £1,240,000  |                                                                 |
| Net benefit (3yr)                                              | £992,000    |                                                                 |
| NPV (discount rate 8%)                                         | £847,000    | Positive NPV; investment justified                              |
| Payback period                                                 | 20 months   | Benefits begin accruing from Month 6 (quick wins)               |
 
<!-- => 60% failure cost reduction is conservative vs industry benchmarks (Gartner: mature governance reduces IT incident cost by 40-70%) -->
<!-- => Sensitivity analysis: even at 40% reduction (£496K/yr benefit), NPV remains positive at £218K -->
<!-- => Intangible benefits excluded: regulatory relationship improvement, faster strategic decision-making, talent retention in governance-mature environment -->

# Board Technology Committee Charter
# Arcturus Insurance Group
# Adopted: Board resolution, March 2026
 
board_technology_committee_charter:
  mandate:
    purpose: "Provide dedicated Board-level oversight of technology strategy, IT risk, cybersecurity, digital transformation, and AI governance"
    # => Mandate is distinct from Audit Committee IT oversight (backward-looking control assurance) — BTC is forward-looking strategy and risk
    scope:
      - "Technology strategy alignment with business strategy"
      - "IT risk appetite and risk register (technology-specific)"
      - "Cybersecurity and operational resilience oversight"
      - "AI governance and emerging technology risks"
      - "Digital transformation programme oversight"
      - "Major technology investments (>£5M or Board-reserved per delegation schedule)"
      - "Technology regulatory compliance (DORA, EU AI Act, ICO obligations)"
    not_in_scope:
      - "Routine IT operational management (delegated to CRO/CTO)"
      - "Internal audit findings (primary domain of Audit Committee)"
      # => Audit Committee and BTC share technology risk; MoU defines boundary and joint reporting items
 
  composition:
    independent_ned_chair: "Minimum 1 NED with technology or cybersecurity expertise"
    # => Chair qualification: prior CTO, CISO, or digital transformation executive experience preferred
    independent_neds: "Minimum 2 additional NEDs"
    management_attendees:
      - "CTO (standing attendee; not voting)"
      - "CISO (standing attendee; not voting)"
      - "Chief Digital Officer (standing attendee; not voting)"
      - "Chief AI Officer (standing attendee if appointed; not voting)"
      # => Management attendees provide technical depth; voting reserved for independent NEDs only
    quorum: "Chair + 2 NEDs (all independent)"
    secretary: "Company Secretary or designated Board Secretary"
 
  meeting_cadence:
    regular: "Quarterly; minimum 4 meetings per year"
    extraordinary: "Called by Chair with 5 business days notice; for material incidents or urgent regulatory matters"
    joint_sessions: "Annual joint session with Audit Committee (technology risk boundary and overlap)"
 
  standing_agenda_items:
    every_meeting:
      - "Technology risk register (top 10; heat map)"
      - "Cybersecurity dashboard (threat landscape, incident summary, KPIs)"
      - "Digital transformation programme update (key milestones, risks, budget)"
      - "AI governance update (new AI deployments, EU AI Act compliance status)"
      # => AI governance as standing item reflects post-2025 regulatory environment
    annual:
      - "Technology strategy review and alignment to business strategy"
      - "IT risk appetite review (recommend to Board for approval)"
      - "TLPT/cybersecurity testing programme results (if DORA in-scope)"
      - "Board technology capability self-assessment (individual and collective)"
      # => DORA Art. 5(4): Board training assessment is an annual governance requirement
 
  delegated_authorities:
    approved_by_btc:
      - "IT risk appetite recommendation to full Board (full Board retains approval)"
      - "Technology regulatory response strategy (DORA, EU AI Act, ICO)"
      - "Technology investment approval: £5M–£25M (above £25M reserved for full Board)"
    # => Delegated authority schedule must be consistent with Board-level Matters Reserved schedule
 
  reporting_to_full_board:
    quarterly: "BTC Chair verbal update at Board meeting (5–10 minutes)"
    annual: "Full BTC annual report to Board: technology risk landscape, strategy alignment, key decisions taken"
    # => Annual report creates the documented Board oversight record that regulators and auditors seek
    ad_hoc: "Material technology incidents; regulatory enforcement actions; decisions outside BTC delegated authority"
 
  charter_review: "Annual review by BTC; approved by full Board"
 
# => BTC charter must be filed with Company Secretary; available to regulators on request
# => BTC minutes are Board-level documents subject to legal privilege considerations

# IT Governance Culture Assessment Tool
# Meridian Bank | Chief Governance Officer Office
 
governance_culture_assessment:
  survey_dimensions:
    # => Survey uses 5-point Likert scale: 1 (Strongly Disagree) → 5 (Strongly Agree)
    # => Administered annually; results compared year-over-year; segment by: seniority, business unit, IT vs business
 
    dimension_1_governance_awareness:
      description: "Staff understand what IT governance is and why it exists"
      sample_questions:
        - "I understand how IT governance decisions are made in this organisation."
        - "I know who to escalate IT risks or control concerns to."
        - "I understand why IT policies exist, not just that they exist."
      # => Low scores here (< 3.0) indicate governance framework was not communicated effectively
      weight: 20 # percentage
 
    dimension_2_risk_ownership:
      description: "Staff feel personally accountable for IT risks in their domain"
      sample_questions:
        - "I feel personally responsible for managing IT risks in my area of work."
        - "I proactively identify and report IT risks rather than waiting to be asked."
        - "When I see a potential IT control weakness, I take action to address it."
      # => Low risk ownership scores indicate RACI not internalised; accountability feels external
      weight: 25
 
    dimension_3_compliance_tone:
      description: "Leaders model and reinforce compliance behaviours"
      sample_questions:
        - "Senior leaders in my area take IT governance seriously."
        - "I have never been pressured to bypass a control or approval process."
        - "Management communicate clearly when governance policies change."
      # => Tone at the top is the most predictive dimension for culture quality — leadership modelling matters most
      weight: 30 # => Highest weight: governance culture flows from leadership behaviour
 
    dimension_4_accountability:
      description: "Governance accountability is exercised fairly and consistently"
      sample_questions:
        - "Governance accountability is applied consistently regardless of seniority."
        - "When controls fail, the organisation focuses on process improvement, not blame."
        - "IT governance roles and responsibilities are clear in my team."
      weight: 25
 
  scoring:
    composite_score: "Weighted average of four dimensions × dimension weight"
    bands:
      below_3_0: "At Risk — governance culture is a material programme risk; immediate intervention required"
      3_0_to_3_5: "Developing — awareness and structures in place; ownership and tone require reinforcement"
      3_5_to_4_0: "Established — governance behaviours generally consistent; targeted improvement possible"
      above_4_0: "Embedded — governance culture is self-sustaining; focus on maintenance and optimisation"
    # => Benchmark: financial services industry average ~3.4; top quartile ~4.1
 
  improvement_programme_design:
    for_low_awareness_scores:
      actions:
        - "Mandatory IT governance literacy module: 90-minute e-learning; accessible in multiple languages"
        - "IT governance intranet hub: RACI, policies, escalation paths — searchable, current"
        - "Governance town halls: CIO and CRO present governance outcomes quarterly (plain language)"
      # => Awareness programmes fail when they are lecture-only; interactive scenarios improve retention
 
    for_low_risk_ownership_scores:
      actions:
        - "Embed IT risk ownership in performance objectives for all manager-grade and above"
        # => Governance behaviour that is not measured in performance management is aspirational only
        - "Risk ownership workshops: structured sessions where business units identify and own their IT risks"
        - "Recognition programme: showcase teams that proactively identified and resolved IT risks"
 
    for_low_compliance_tone_scores:
      actions:
        - "CEO and CIO joint communication: visible endorsement of governance programme"
        - "Executive IT governance literacy programme: Board and ExCo members complete ICT risk training"
        - "CGEIT-certified governance leads visible in leadership forums"
        # => CGEIT certification signals professional governance leadership — improves credibility of governance function
 
    for_low_accountability_scores:
      actions:
        - "RACI refresh workshops: clarify and simplify accountability for common governance decisions"
        - "Post-incident culture review: ensure blame-free root cause analysis is genuinely practised"
        - "Governance advisory panel: cross-functional group reviews culture assessment results and owns improvement"
 
  reporting:
    frequency: "Annual; with quarterly pulse check (3-question version)"
    audience: "Board (annual); CIO and CRO (quarterly pulse); Business Unit Heads (dimension scores for their unit)"
    # => Sharing business-unit-level scores with BU Heads creates local accountability for improvement

## IT Governance Annual Programme Review — Solaris Energy (2026)
 
| Domain                      | 2025 Maturity | 2026 Maturity | YoY Trend  | Priority Initiatives (2027)                                                        | Investment Required |
| --------------------------- | ------------- | ------------- | ---------- | ---------------------------------------------------------------------------------- | ------------------- |
| IT Strategy and Planning    | 2.4           | 3.1           | +0.7 ↑     | Embed technology strategy in annual planning cycle; Board-level technology roadmap | £85,000             |
| IT Risk Management          | 2.1           | 2.8           | +0.7 ↑     | Automate risk register updates; integrate with ERM platform                        | £120,000            |
| Information Security        | 2.6           | 3.0           | +0.4 ↑     | TLPT programme (DORA); close 4 FFIEC CAT deficiencies                              | £340,000            |
| IT Service Management       | 3.0           | 3.2           | +0.2 ↑     | ITIL V5 transition: align to 8-stage lifecycle                                     | £95,000             |
| Vendor and Third-Party Risk | 1.8           | 2.5           | +0.7 ↑     | DORA Art. 30 register completion; critical vendor exit strategies                  | £180,000            |
| **Overall Programme**       | **2.4**       | **2.9**       | **+0.5 ↑** | **Continuous improvement programme; target 3.5 by 2028**                           | **£820,000**        |
 
<!-- => Maturity scores use COBIT 2019 performance management scale (0–5); assessed by external COBIT assessor -->
<!-- => YoY improvement of +0.5 overall represents strong progress; information security +0.4 is slowest — reflects complexity of DORA TLPT preparation -->
<!-- => Vendor risk lowest absolute maturity (2.5) despite strong improvement (+0.7) — started from low base; requires continued priority investment -->
<!-- => 2027 investment of £820K represents continuation of transformation programme at reduced cost from Year 1 peak -->
 
### Key Achievements (2026)
 
<!-- => Achievements section provides Board with evidence that prior investment delivered results -->
 
- OCC examination: zero MRAs issued (prior examination: 3 MRAs) — governance programme directly responsible
- DORA readiness: ICT risk management framework Board-approved; incident reporting playbook deployed; 90% of critical vendors on DORA Art. 30 register
- AI governance: ISO 42001 gap assessment completed; Board AI policy approved; AI risk register operational
- ServiceNow GRC: deployed; 847 risks, 1,243 controls, and 3 active audit engagements managed on platform
 
### Risks to 2027 Programme
 
<!-- => Risk transparency maintains Board confidence — hiding programme risks erodes credibility -->
 
| Risk                                           | Rating | Mitigation                                                      |
| ---------------------------------------------- | ------ | --------------------------------------------------------------- |
| TLPT programme cost overrun (DORA)             | MEDIUM | Fixed-price contract with TIBER-certified provider              |
| ITIL V5 V5 transition complexity               | LOW    | Phased migration; external consultant engaged                   |
| Governance culture resistance (business units) | MEDIUM | Culture assessment underway; BU-level accountability introduced |

# Regulatory Change Management Process
# Aldgate Bank | CCO Office
 
regulatory_change_management:
  horizon_scanning:
    intelligence_sources:
      primary:
        - "Regulatory body publications: FCA, PRA, EBA, ESMA, EIOPA, OCC, FRB"
        # => Primary sources are authoritative — secondary sources (law firms, consultancies) are interpretive
        - "EU Official Journal: regulation and directive publications (EU AI Act, DORA, CSRD)"
        - "ISACA, NIST, ISO standards bodies: framework updates and new standards"
      secondary:
        - "Big Four regulatory horizon scanning alerts (PwC, Deloitte, KPMG, EY)"
        - "Trade association updates (BBA, AFME, ISDA)"
        - "NLP-based regulatory intelligence tool (continuous monitoring)"
        # => NLP tool parses regulatory publications and maps to internal policy library — reduces analyst workload by ~60%
      cadence: "Weekly horizon scan; monthly triage meeting; quarterly Board horizon report"
 
  triage_criteria:
    # => Triage determines which regulatory changes require formal impact assessment vs monitoring
    triggers_for_formal_impact_assessment:
      - "New legislation or regulation directly applicable to Aldgate (financial services scope)"
      - "Amendment to existing regulation materially changing obligations (not clarification)"
      - "Regulatory guidance materially changing regulatory expectation"
      - "Enforcement action against peer institution indicating regulatory interpretation shift"
      # => Peer enforcement actions are the most underweighted triage trigger — regulators signal priorities through enforcement
      - "New standard (ISO, NIST) adopted by regulator or referenced in examination guidance"
    monitoring_only:
      - "Consultation papers (pre-legislation; monitor for final rule)"
      - "Foreign regulation with indirect impact (third-country equivalence context)"
      - "Non-binding guidance not referenced in examination criteria"
 
  impact_assessment_template:
    fields:
      regulation_id: "Reference number and title of regulation/standard"
      effective_date: "Enforcement date; phased implementation dates if applicable"
      # => Phased dates are common (DORA, EU AI Act) — each phase triggers separate assessment
      in_scope_entities: "Which Aldgate legal entities are in scope"
      obligation_summary: "Plain language summary of new obligations"
      current_state: "How Aldgate currently meets (or does not meet) the obligation"
      gap_assessment: "Specific gaps between current state and required state"
      remediation_actions: "Required actions with owner, cost estimate, and implementation date"
      residual_risk: "Risk if remediation not completed by effective date"
      board_notification: "Yes/No — does this meet Board notification threshold?"
      # => Board notification threshold: any regulation with penalty risk >£1M or material operational impact
 
  implementation_tracking:
    tool: "ServiceNow — regulatory change register (integrated with GRC platform)"
    # => Regulatory changes tracked in same platform as risk and control management — traceability preserved
    fields:
      - "Regulation ID; effective date; owner; milestones; status (Identified/In Progress/Completed/Overdue)"
    reporting:
      weekly: "Open regulatory changes by status to CCO"
      monthly: "Regulatory change register to CRO and CTO (technology-impacting regulations)"
      quarterly: "Board horizon report: upcoming regulatory changes by effective date and impact"
 
  board_notification_threshold:
    automatic_notification:
      - "Any regulation creating financial penalty risk >£1M"
      - "Any regulation requiring Board policy approval or Board training"
      # => DORA Art. 5(4) Board training obligation: automatic Board notification
      - "Any regulation creating individual senior management liability"
      - "Any regulation requiring material technology investment (>£500K)"
    board_format: "1-page regulatory change brief: regulation, effective date, obligation, gap, remediation cost, Board action required"
    # => Board briefs must be actionable — regulatory change communications that require no Board decision are monitoring items, not Board items
 
# => Regulatory change management process effectiveness metric: zero missed regulatory deadlines
# => Annual process review: CAE tests that all in-scope regulatory changes for prior year were identified and tracked

# IT Governance Leadership Succession Plan
# Arcturus Financial Group | Group CIO Office
 
it_governance_succession_plan:
 
  critical_role_inventory:
    # => Roles are critical if their temporary absence creates governance programme risk
 
    group_cio:
      governance_responsibilities:
        - "Board IT Governance Committee — primary management attendee"
        - "IT risk appetite owner"
        - "DORA Art. 5 management body accountability — primary delegate to Board"
        - "IT governance transformation programme executive sponsor"
      certifications_held: ["CGEIT"]
      # => CGEIT (Certified in Governance of Enterprise IT) — ISACA certification; held by Group CIO
      deputy: "CTO (designated deputy for all governance roles)"
      deputy_certification_gap: "CTO does not hold CGEIT — gap identified; CGEIT enrolled Q3 2026"
      knowledge_transfer_requirements:
        - "Quarterly briefing sessions with Deputy on Board relationship and open governance items"
        - "Shared access to Board committee papers and governance programme documentation"
        - "Deputy attends Board IT Governance Committee as observer (minimum 2 meetings/year)"
      documentation_standards:
        - "Governance decision log: all material governance decisions recorded with rationale within 5 business days"
        - "Board relationship map: stakeholder preferences, communication styles, open commitments"
 
    group_ciso:
      governance_responsibilities:
        - "IT Risk Committee chair"
        - "Information security risk appetite owner"
        - "DORA pillar 2 (ICT risk management) — primary responsible executive"
        - "TLPT programme sponsor"
      certifications_held: ["CISA", "CRISC"]
      # => CISA (Certified Information Systems Auditor); CRISC (Certified in Risk and Information Systems Control) — ISACA
      deputy: "Head of Security Operations (designated deputy)"
      deputy_certification_gap: "Deputy holds CISA; CRISC enrolment planned Q4 2026"
      knowledge_transfer_requirements:
        - "Monthly 1:1 with Deputy: open risk items, regulatory obligations, key relationships"
        - "Deputy leads IT Risk Committee in CISO absence"
        - "Regulatory relationship contacts documented and introduced to Deputy"
      documentation_standards:
        - "Risk register ownership: all CISO-owned risks have documented owner in risk register (not personal knowledge)"
        - "Regulatory correspondence log: all FCA/OCC correspondence filed and accessible to Deputy"
 
    head_of_it_compliance:
      governance_responsibilities:
        - "Regulatory examination management"
        - "Continuous compliance automation programme owner"
        - "Policy lifecycle management"
      certifications_held: ["CISA", "AIGP"]
      # => AIGP (AI Governance Professional) — IAPP certification; relevant for EU AI Act compliance
      deputy: "Senior Compliance Analyst (designated)"
      knowledge_transfer_requirements:
        - "Examination management protocol: documented procedure + Deputy shadows next examination"
        - "Policy library access and update procedure: Deputy trained and tested"
 
  succession_testing:
    method: "Annual deputy activation exercise — key deputy performs role for 2-week planned absence"
    # => Succession planning without testing creates false confidence; activation exercise validates readiness
    output: "Succession readiness report: gaps identified during exercise; remediation actions"
    reporting: "CIO reviews succession readiness report annually; material gaps reported to Board"
 
  documentation_standards:
    principle: "No governance knowledge should exist only in one person's head"
    # => Single points of knowledge failure are treated as governance risk, not just operational risk
    requirements:
      - "All governance processes documented in ServiceNow wiki or equivalent"
      - "Board relationship context documented (not just meeting minutes)"
      - "Regulatory correspondence indexed and accessible to designated deputy"
      - "IT governance programme status documented weekly (programme dashboard)"
 
  certification_pipeline:
    target: "Minimum 2 CGEIT holders; minimum 3 CRISC holders; minimum 1 AIGP holder by end 2027"
    # => Certification pipeline ensures governance capability is not concentrated in one individual
    certifications_in_progress:
      - role: "CTO", cert: "CGEIT", target: "Q1 2027"
      - role: "Head of Security Operations", cert: "CRISC", target: "Q2 2027"
      - role: "Senior Compliance Analyst", cert: "CISA", target: "Q3 2026"
    # => CRAGE (EC-Council) — Certified Risk and Governance Expert — also recognised; relevant for deputy upskilling
 
# => Succession plan reviewed annually and on any critical role departure or organisational restructure
# => Board IT Committee informed of any critical governance role vacancy >30 days

# World-Class IT Governance Programme — Synthesis Roadmap
# Solaris Financial Group | Group CIO Office | Board Presentation
 
world_class_it_governance:
  ten_foundational_elements:
    element_1_governance_framework:
      title: "Board-Approved IT Governance Framework"
      description: "Documented framework: governance principles, RACI, escalation paths, decision rights"
      # => Foundation of all other elements — nothing else is credible without a Board-approved framework
      depends_on: [] # => No dependencies; this is the starting point
      enables: ["element_2", "element_3", "element_4"]
      sequence: 1
      measurement: "COBIT EDM01 maturity score; Board approval date"
      board_relevance: "Board accountability; legal and regulatory compliance"
 
    element_2_risk_appetite:
      title: "IT Risk Appetite and Risk Register"
      description: "Quantified risk appetite per IT risk category; enterprise IT risk register with residual ratings"
      depends_on: ["element_1"]
      # => Risk appetite cannot be meaningful without a governance framework to approve and operationalise it
      enables: ["element_5", "element_6", "element_7"]
      sequence: 2
      measurement: "COBIT APO12 maturity; risk register completeness; appetite breach frequency"
 
    element_3_operating_model:
      title: "IT Governance Operating Model (RACI)"
      description: "Clear accountability for all material IT governance decisions across IT, Business, Legal, HR, Board"
      depends_on: ["element_1"]
      enables: ["element_4", "element_9"]
      sequence: 2 # => Parallel with element_2; both depend only on element_1
      measurement: "RACI coverage score; escalation conflict frequency; decision cycle time"
 
    element_4_policy_framework:
      title: "IT Policy and Standards Framework"
      description: "Complete, current, Board-approved IT policy library; lifecycle management; staff attestation"
      depends_on: ["element_1", "element_3"]
      enables: ["element_5", "element_8"]
      sequence: 3
      measurement: "Policy currency rate (% policies reviewed within 24 months); attestation completion rate"
 
    element_5_risk_management:
      title: "IT Risk Management Processes"
      description: "Structured risk assessment, treatment, monitoring, and reporting processes; linked to ERM"
      depends_on: ["element_2", "element_4"]
      enables: ["element_6", "element_7"]
      sequence: 4
      measurement: "COBIT APO12 maturity; risk treatment completion rate; ERM integration quality"
 
    element_6_control_environment:
      title: "IT Control Environment and Testing"
      description: "ITGC and application controls; COSO-aligned; continuous control monitoring"
      depends_on: ["element_5"]
      enables: ["element_7", "element_8"]
      sequence: 5
      measurement: "Control effectiveness rate; audit finding trend; SOX/SOC 2 opinion quality"
 
    element_7_third_party_risk:
      title: "Enterprise TPRM Programme"
      description: "Risk-tiered due diligence; ongoing monitoring; exit strategies for critical vendors; DORA Art. 30 register"
      depends_on: ["element_2", "element_5"]
      enables: ["element_8"]
      sequence: 5
      measurement: "Critical vendor assessment currency; concentration risk ratio; DORA register completeness"
 
    element_8_regulatory_compliance:
      title: "Regulatory Change Management and Continuous Compliance"
      description: "Horizon scanning; impact assessment; continuous compliance automation; examination readiness"
      depends_on: ["element_4", "element_6", "element_7"]
      enables: ["element_9"]
      sequence: 6
      measurement: "Regulatory deadline compliance rate; examination finding trend; compliance automation coverage"
 
    element_9_culture_and_capability:
      title: "Governance Culture and Talent Pipeline"
      description: "Culture assessment programme; CGEIT/CRISC certification pipeline; succession planning; Board training"
      depends_on: ["element_3", "element_8"]
      enables: ["element_10"]
      sequence: 7
      measurement: "Culture assessment composite score; certification count; succession readiness rating"
      # => CGEIT, CRISC, CISA (ISACA); AIGP (IAPP); CRAGE (EC-Council) — active certifications for pipeline
 
    element_10_continuous_improvement:
      title: "Governance Maturity Measurement and Continuous Improvement"
      description: "Annual COBIT maturity assessment; benchmarking; OKR-driven improvement roadmap; Board annual review"
      depends_on:
        [
          "element_1",
          "element_2",
          "element_3",
          "element_4",
          "element_5",
          "element_6",
          "element_7",
          "element_8",
          "element_9",
        ]
      # => Element 10 depends on all others — it measures the whole system
      enables: [] # => This is the sustaining loop; feeds back to element_1 review
      sequence: 8
      measurement: "COBIT overall maturity trend; year-over-year improvement; benchmark position vs industry peers"
 
  sequencing_rationale:
    phase_1_foundations: "Elements 1–3 (Framework, Risk Appetite, Operating Model) — must be sequential; none can be skipped"
    phase_2_structure: "Elements 4–5 (Policy Framework, Risk Management) — parallel once foundations are stable"
    phase_3_operations: "Elements 6–7 (Controls, TPRM) — operationalise the structure"
    phase_4_compliance: "Element 8 (Regulatory Compliance) — built on policy, controls, and TPRM"
    phase_5_culture: "Element 9 (Culture and Capability) — change management sustains the programme"
    phase_6_maturity: "Element 10 (Continuous Improvement) — measures and sustains the whole system"
    # => Organisations that attempt elements out of sequence — e.g. culture training before framework exists — waste investment
    # => Most failed governance programmes skip Element 3 (Operating Model) — leading to accountability confusion in all later elements
 
  measurement_approach:
    annual_maturity_assessment: "External COBIT assessor; same instrument each year for comparability"
    quarterly_board_dashboard: "5 KPIs: risk appetite compliance, examination findings trend, control effectiveness, TPRM currency, culture score"
    three_year_target: "COBIT maturity 3.5+ across all domains; benchmark top quartile in sector; zero regulatory MRAs"
    # => World-class is not a destination — it is a sustained posture that requires ongoing investment
 
  board_investment_narrative:
    summary: "IT governance is not a cost centre — it is the risk management infrastructure that protects enterprise value, enables regulatory licence to operate, and provides the Board with the assurance it needs to govern technology with confidence."
    # => Investment narrative connects governance to Board's own accountability — Boards govern better with strong governance infrastructure
    three_year_investment: "£2.8M cumulative (framework, platform, talent, external assessment)"
    three_year_benefit: "Estimated £7.2M in governance failure cost avoidance (regulatory penalties, incidents, audit findings)"
    net_value: "£4.4M net value over 3 years; positive NPV at any reasonable discount rate"
 
# => World-class IT governance is self-evidencing: auditors find fewer findings, regulators issue fewer MRAs, incidents decrease, and the Board reports with confidence
# => The ten elements are a system — removing any one degrades the whole; investment must be sustained across all elements