One aspect of a proper business organisation is having an appropriate and effective risk management function, on the basis of which institutions are expected to safeguard their resilience at all times. Even where institutions outsource activities and processes, they must nonetheless guarantee a proper business organisation and the appropriateness and effectiveness of risk management. Outsourced activities and processes must be included in both cases. Standards for the proper organisation of IT and the management of IT risk are notably set forth in the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, or MaRisk) in conjunction with the prudential requirements for IT (Bankaufsichtliche Anforderungen an die IT, or BAIT), and the requirements for systems and controls for algorithmic trading of institutions (Anforderungen an Systeme und Kontrollen für den Algorithmushandel von Instituten). The intention is for practice-driven implementation of the prudential requirements in dialogue with the industry.

The expert panel on information technology therefore mainly serves as a forum for

• discussing strategic IT developments which have a bearing on banking business and the operational risks they might present, and
• debating operational matters in areas such as IT organisation, IT processes, IT systems and control procedures on the basis of specific issues.

It also provides a platform for sharing information on the activities of international working groups and with the UP KRITIS (public-private partnership for critical infrastructure protection) working group for the banking sector, for exploring new IT requirements facing institutions, and for deliberating on the interpretation and application of these requirements. Its members include experts from institutions, IT service providers, banking association representatives, the Federal Office for Information Security and supervisors, as well as representatives from academia.