Abstract
Information Technology has constantly played a key role in the function and services offered
by banking institutions. Banks are investing in reliable, secure, and resilient information
technology infrastructure for high-performance systems to offer efficient banking services to
their customers. However, information technology reliance introduces material risks across
the banking sector. This study used a comprehensive literature review to investigate the risks
the banking sector encounters. The literature review further explores information technology
risk management in the banking sector and different information technology risk management
frameworks, standards, and methodologies applied by the banking sector. The literature
review established that banks typically adhere to the risk and risk management disclosure
requirements, as indicated by King IV and Basel.
This study followed a qualitative research methodology. A purposive sampling was applied to
select the top five commercial banks operating in South Africa to form part of the study.
Content analysis was used as the data collection method. Each bank’s integrated reports for
the period 2018 – 2022 were obtained from each bank’s website. An empirical study sought
to understand how these top five commercial banks manage information technology risks and
to establish whether or not they disclose information technology risk management in their
annual integrated reports over the selected period. The basis of the analysis was the
recommended principles in King IV for principles 11 and 12, as well as the principles stated in
Basel.
An analysis of the results indicated that the top five commercial banks in South Africa disclose
their information technology risk management governance structures, risk management
process, risk appetite, risk management policies, and independent confirmation of the
effectiveness of their information technology risk management function at an appropriate level.
There were instances where specific frameworks, although mentioned in the disclosures, were
not detailed in the integrated report disclosures, but overall it was established that banks do
disclose sufficient information, allowing investors to make informed decisions regarding
information technology risk and risk management in the banking sector. The study also found
that the banks were consistent with their information technology risk management disclosures
during the period under review.