ProSight’s revised Technology Risk Framework reflects five years of member feedback and hard-won lessons. The update builds on the original 2020 tool by refining terms, adding flexibility for different risk taxonomies, and stressing a point many banks are still learning: technology risk isn’t just IT’s problem. The revision also offers practical guidance institutions can use to strengthen oversight and prepare for what’s next.
Rethink who owns tech risk. “Technology [teams] and technology risk are not one and the same,” said Erika Crandall, chief risk officer at Xpansiv Limited. The revised framework makes clear that every business line takes on risk when it relies on technology. By leaving organizational charts out of the picture, the document reinforces that responsibility is shared across the enterprise.
Use the taxonomy as a roadmap. The framework provides an exhaustive list of risk categories to help institutions identify and classify exposures—from operational disruptions to third-party service provider risks. For mature institutions, the revision serves as a sense-check on coverage. For those just getting started, it’s a roadmap with definitions and examples to help build a foundation.
Start small but measure consistently. Measurement is where many banks struggle. “Knowing what to measure is hard. Knowing what information to bring to leadership is hard,” said Joshua Henrich, SVP and head of information security governance and risk management at U.S. Bank. The companion guidance suggests focusing on metrics that connect directly to enterprise risks. Smaller banks should narrow in on a handful of key risk indicators that can be tracked reliably. “You start with a handful that are the most meaningful to your organization, that you can measure with a high degree of confidence,” Crandall said.
Connect technology and enterprise risk. While the framework distinguishes technology risk from other categories, it links directly to ProSight’s Enterprise Risk Management Framework. Used together, they encourage banks to think holistically about risk appetite and interdependencies across the organization.
Keep evolving. Technology risk won’t sit still, and neither should risk management. “This is ever-changing, and we’ll adapt to the changing needs of the industry,” Henrich said. The framework is meant to evolve with member input, giving banks a tool that can mature with them.
