Security through
MaRisk AT8.2

The answer lies in the General Section of the MaRisk: We must examine how significant modifications to operational processes or structures and IT systems impact the bank's control procedures - and we must do this before they are implemented. The focus is on the following questions:

• Who has to edit the AT8.2 process and when?
• Which modification is significant?
• Do we maintain the previous security level or even improve it?

AT8.2 modifications are mainly processed by specialist project managers, but also reorganisation managers or task force managers. Certain other departments may issue requirements. The responsible Head of Department confirms each process with their digital signature. In order to simplify the task as much as possible for all involved, our tool guides them through the entire process.

In the case of a project, the AT8.2 process is as follows: Once a project is approved, the project manager receives an automated request to create an AT8.2 modification in the tool – a separate modification is required for each concept study and each GoLive. The master data should be recorded in full within four weeks. The materiality assessment and all subsequent process steps will only begin 6–8 weeks before the concept study submission or GoLive. In order to make it easier for the project managers to meet all deadlines, the tool sends them regular reminders.

If the modification is significant, the project manager prepares an impact analysis and via the tool informs the Internal Audit, Compliance and Risk Control departments, as well as the departments affected by the change. They evaluate the analysis and ensure that the modification is verified and secure from all perspectives. Finally, each modification is signed electronically by the Head of Department. This means that the MaRisk requirements are fulfilled and the modifications may be implemented.