The Accountability Seal Policy recognises five different maturity levels that MYOBI has taken over from “De Nederlandsche Bank.”
Level 1, Initial: The control measures are (partially) defined but are implemented inconsistently. There is a significant dependence on individuals in implementing the control measures. Criteria:
- No or limited control measures were implemented.
- Not performed or ad hoc.
- Not/partly documented.
- The method of implementation depends on the individual (not standardised).
Level 2, Repeatable but informal: Control measures are in place and are implemented in a consistent and structured but informal manner. Criteria:
- The implementation of the control measures is based on an informal but standardised working method.
- This method is not fully documented.
Level 3, Defined: The control measures’ design is documented, implemented, structured, and formalised. The required effectiveness of the control measures is demonstrable and tested. Criteria:
- The control measures are defined based on risk assessment.
- It is documented and formalised.
- Responsibilities and tasks are clearly assigned.
- Design, existence and effective operation are demonstrable.
- Effective operation of controls is periodically tested.
- The risk-based assessment demonstrates that the control is effective over a more extended period (> 6 months).
Level 4, Controlled and Measurable: The effectiveness of the control measures is periodically evaluated. Where necessary, the control measures are improved or replaced by other control measures. The evaluation is recorded. Level 3 criteria plus the following:
- Periodic (control) evaluation and follow-up take place.
- Evaluation is documented.
- Tasks and responsibilities for evaluation have been formalised.
- The evaluation frequency is based on the institution’s risk profile and is at least annual.
- (Operational) incidents are included in the evaluation.
- The results of the evaluation are reported to management.
Level 5, Continuous Improvement: The control measures are anchored in the integrated risk management framework, in which continuous improvement of the effectiveness of the measures is sought. External data and benchmarking are used for this. Employees are proactively involved in improving control measures. Level 4 criteria plus the following:
- Continuously evaluate the controls measures to enhance the effectiveness constantly.
- Using results from self-assessments, gap and root cause analyses.
- The control measures taken are benchmarked based on external data and are ‘Best Practice’ compared to other organisations.