2019-2020 Annual Report and Statement of Accounts

ORGANISATIONAL EFFECTIVENESS Develop a Holistic Internal Risk Management Framework Internal Management The Internal Audit Department (IAD) is an independent appraisal function established within the Bank to examine and evaluate its activities. The Department charged with this responsibility, reports functionally to the Bank’s Board Audit and Risk Committee (BARC) and administratively to the Governor.

During the period 2019/20 the IAD conducted assurance engagements to assess the following: 1. effectiveness of the Bank’s Reserve Management Compliance Function; 2. the Bank’s physical access and security; 3. Agency Office operations in Anguilla, Antigua and Barbuda, the Commonwealth of Dominica and Montserrat; 4. effectiveness of the Bank’s corporate governance and change management arrangements; 5. implementation of the Bank’s Strategic Plan for the period 2017 to 2021; and 6. effectiveness of the Bank Supervision Department in effecting its financial institutions examination mandates.

The IAD also conducted a Bank-wide risk assessment to draw attention to the major areas of risk and to inform the department’s work programme for the 2020/2021 financial period. As part of the IAD’s drive to continually assess its performance and align to the International Standards promulgated by the Institute of Internal Auditors (IIA), the department designed and received Board approval for a Quality Assurance and Improvement Programme. Cyber Security The Bank has a very low tolerance for operational risks and recognises that cyber security risks is one of the most significant impediments to operational resilience. In 2019, the Bank engaged an external service provider to conduct an independent assessment of information technology resilience and cyber maturity. The Bank continues to make progress with the implementation of recommendations from the assessment.

In 2019 the Bank invested in a Security Awareness Training platform to enhance information security awareness and measure progress towards an improved culture of security in the Bank’s staff and stakeholders.

SWIFT Customer Security Programme (CSP) The Bank successfully implemented the mandatory requirements identified in the Society for Worldwide Interbank Financial Telecommunications (SWIFT) Customer Security Programme (CSP) and attested before the 31 December 2019 deadline. To comply with updated SWIFT CSP 2020 attestation requirements, the Bank has completed the gap analysis and is preparing for an independent review of SWIFT security controls.

IP Telephony Solution Implementation of IP Telephony Phase III was completed in December 2019 to ensure automatic transition to the Bank’s backup internet service provider (ISP).

| EASTERN CARIBBEAN CENTRAL BANK ANNUAL REPORT 2019-2020 26